SlideShare ist ein Scribd-Unternehmen logo

BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication

Paül Jaramillo
Paül Jaramillo

It has been a reoccurring theme for corporate victims of a major breach to publicly state that the attack perpetrated on them was sophisticated. Some may even go so far as to have their 3rd party DFIR partner(s) make statements on their behalf to the effect that the attack would have been successful at most companies. All this is done in an attempt to avoid the dreaded assumption of IT Security negligence on their part. Imagine if the press release stated that the attack might have been thwarted if they implemented processes and controls that were recommended by internal staff years ago. While we will never read that statement, many practitioners are left to wonder what was so unique and advanced about this attack. With this presentation we will present analysis of existing public attacks against traits that are more common in truly advanced attacks. These include but are not limited to the ability to operate undetected, precise targeting, use of non-public zero days and custom payloads, ability to defeat in place security controls, strong operational security, speed and of course overall effectiveness. We will also make clear delineations between what constitutes and advanced attack versus an advanced adversary. The output of this will be a model that can be applied to help characterize your adversaries capabilities.

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICUFFS: THE RUMBLE OVER ADVERSARY SOPHISTICATION PAUL JARAMILLO
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PAUL JARAMILLO Twitter @DFIR_Janitor Biography Currently: Principal Consultant @CrowdStrike Previously: § Fortune 500 Energy § Fortune 100 Manufacturing § Fortune 10 Conglomerate § Dept. of Energy § Fortune 100 Telecommunications Focused on Incident Response & Digital Forensics
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. State of Affairs Sophistication vs Effectiveness Sophisticated Actor vs Attack Measurements of Sophistication Adversaries of Infamy Recommendations
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. STATE OF AFFAIRS § Breachapalooza continues § Struggles to implement common critical controls § Continued resource misallocation on buzzwords & knee jerks § Massive inequality between InfoSec have’s and have nots § Dwell time improving § Board awareness & engagement vastly increasing § Defending failures with “Sophisticated”
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. STATE OF AFFAIRS § You had me at “Sophisticated” Attack :-/ § Password dump, guessing, reuse § Phishing § Fake login portal § Common tools, exploits (mimikatz, wiper, etc) § Ancient vulnerabilities (JBoss, Cold Fusion, MS08-067, Wordpress, etc) § Ransomware Image Credit: reddit.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATION VS EFFECTIVENESS § Why does sophistication matter so much to the arm chair incident responder? § We know it matters to security vendors J § Should it matter to the impacted org? § Tight correlation with chances for successful defense § “Commercially reasonable effort” scapegoat § Supports better resource allocation Image Credit: imgur.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATION VS EFFECTIVENESS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATED ACTOR VS ATTACK Rule #1 - Sophisticated Actor != Sophisticated Attack Sophisticated Actor = [Basic Attack … Sophisticated Attack] Image credit: xkcd.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATED ACTOR VS ATTACK Rule #2 - Sophisticated Actor != Zero Days Sophisticated Actor = [Code Reuse, Custom Malware, Custom Tools, Zero Days, Etc] On APT - “We personally do not believe in the advanced part of the acronym, unless the threats involve specific zero-day exploits” ORLY?
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MEASUREMENTS OF THREAT ACTOR SOPHISTICATION § Attack Precision § Cross-platform Capabilities § Targeting § OPSEC § Resilience § Stealth
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - ATTACK PRECISION Ability of Threat Actor to closely align their planned attacks with an organization's given vulnerabilities, including overall efficiency § WEAK(1) – Spray & pray, exploit kits, Apache exploits against IIS, etc § BASIC(4) – Brute force, observable mistakes such as CLI typos, accidental AV & IDS detection § STRONG(7) – Skillful targeting of people, authentication & directory services § FIERCE(10) – Demonstrated mastery of unique business process, timing, and/or closed technologies
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - CROSS PLATFORM CAPABILITIES Ability of Threat Actor to operate in a full spectrum of diverse technologies § WEAK(1) – PHP websites, cracked MS Windows § BASIC(4) – MS Windows client & servers, web servers § STRONG(7) – OSX, Linux, Unix, Android, IoT(?) § FIERCE(10) – Embedded computing, firmware, telecommunications & network gear, and other closed systems
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - TARGETING Ability of Threat Actor to successfully compromise well-defended “hard” targets, as compared to ”soft” targets § WEAK(1) – Grandma, individual credit cards & banking, software licenses § BASIC(4) – Corporate brands, political causes, corporate wire fraud § STRONG(7) – Data theft, destruction or modification with grave damage to organization or national security implication § FIERCE(10) – Critical systems or processes (kinetic damage, financial catastrophe)
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - OPSEC Ability of Threat Actor to avoid providing their adversaries with any useful information about them § WEAK(1) – Bragging that you did it, claiming responsibility § BASIC(4) – Observable tool marks, traceable personas § STRONG(7) – Breadcrumbs, diversified tools & infrastructure § FIERCE(10) – Frame someone else, clandestine, covert
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - RESILIENCE Ability of a Threat Actor to maintain access in an organization’s environment § WEAK(1) – AV solves your problem § BASIC(4) – Indicator blocks, reimages, and password changes solves your problem § STRONG(7) – Complex remediation, requiring 3rd party assistance § FIERCE(10) – Source code compromise, Supply chain compromise, Human implant
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - STEALTH Ability of Threat Actor to avoid detection § WEAK(1) – Mass scanning, large phishing campaigns § BASIC(4) – “Smash & grab” aka immediate action on objectives § STRONG(7) – Less than 1 year average dwell time § FIERCE(10) – Greater than 1 year average dwell time with continued activity
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Anonymous - 18 (2006 to Present, 2010 Operation Payback, 2011 HBGary) § Attack Precision (4) § Cross Platform Capability (4) § Targeting (4) § OPSEC (4) § Resilience (1) § Stealth (1) Image Credit: ArsTechnica
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Carbanak/Carbon Spider - 35 (2013 to Present, Swift attacks, Hotel chains, Retail, etc) § Attack Precision (10) § Cross Platform Capability (7) § Targeting (4^) § OPSEC (4) § Resilience (4) § Stealth (4) Image Credit: Buzzfeed
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Silent Chollima/DarkSeoul - 36 (2009 to Present, South Korea, Sony, etc) § Attack Precision (7) § Cross Platform Capability (4) § Targeting (7) § OPSEC (4) § Resilience (7) § Stealth (7) Image Credit: KnowYourMeme
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Axiom/Aurora Panda/APT17 - 51 (2009 to Present, Google, Adobe, Bit9, etc) § Attack Precision (10) § Cross Platform Capability (7) § Targeting (10) § OPSEC (7) § Resilience (7) § Stealth (10) Image Credit: people-you-knew.tumblr.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Equation Group - 60 (1996 to Present, Stuxnet, Flame, Grayfish) § Attack Precision (10) § Cross Platform Capability (10) § Targeting (10) § OPSEC (10) § Resilience (10) § Stealth (10) Image Credit: Kaspersky
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOMMENDATIONS § Before calling out an organization § Could you detect it? Prevent it? Image Credit: quickmeme.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOMMENDATIONS Become a better defender and threat intelligence consumer 1. Collect & analyze all indicators, TTPs, and associated context around your own incidents using Kill Chain model 2. Complete your own organizational threat profile 3. Collect & analyze available data around threat actors targeting your organization using the ACTOR model 4. Proactively provide messaging around high visibility threats & risks 5. Align organizational priority around your biggest threats (e.g. new controls, threat hunting, M&A, people, etc)
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS? Image Credit: memecrunch.com

Empfohlen

Bsides Chicago2017
Bsides Chicago2017Bsides Chicago2017
Bsides Chicago2017Paül Jaramillo
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdfPaül Jaramillo
 
Load Balancing des McAfee Web Gateway - das Handbuch
Load Balancing des McAfee Web Gateway - das HandbuchLoad Balancing des McAfee Web Gateway - das Handbuch
Load Balancing des McAfee Web Gateway - das HandbuchLoadbalancer_org_Gmbh
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Cephfs架构解读和测试分析
Cephfs架构解读和测试分析Cephfs架构解读和测试分析
Cephfs架构解读和测试分析Yang Guanjun
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
FortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxFortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxAlejandro Daricz
 

Empfohlen

Bsides Chicago2017
Bsides Chicago2017Bsides Chicago2017
Bsides Chicago2017Paül Jaramillo
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdfPaül Jaramillo
 
Load Balancing des McAfee Web Gateway - das Handbuch
Load Balancing des McAfee Web Gateway - das HandbuchLoad Balancing des McAfee Web Gateway - das Handbuch
Load Balancing des McAfee Web Gateway - das HandbuchLoadbalancer_org_Gmbh
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Cephfs架构解读和测试分析
Cephfs架构解读和测试分析Cephfs架构解读和测试分析
Cephfs架构解读和测试分析Yang Guanjun
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
FortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxFortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxAlejandro Daricz
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide Protect724manoj
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands MohamedZiadi5
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practicesSergey Kucherenko
 
Edital cope e ciosac
Edital cope e ciosacEdital cope e ciosac
Edital cope e ciosacTriplo Sof
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter NavalCGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter NavalFalcão Brasil
 
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKEThere's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKEJeff Beley
 
Mini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdfMini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdfJohnSpencer297273
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
A Sober Look at Machine Learning
A Sober Look at Machine LearningA Sober Look at Machine Learning
A Sober Look at Machine LearningSven Krasser
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 

Weitere ähnliche Inhalte

Was ist angesagt?

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide Protect724manoj
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands MohamedZiadi5
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Edital cope e ciosac
Edital cope e ciosacEdital cope e ciosac
Edital cope e ciosacTriplo Sof
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter NavalCGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter NavalFalcão Brasil
 
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKEThere's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKEJeff Beley
 
Mini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdfMini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdfJohnSpencer297273
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 

Was ist angesagt? (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide ArcSight Forwarding Connector Configuration Guide
ArcSight Forwarding Connector Configuration Guide
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
Edital cope e ciosac
Edital cope e ciosacEdital cope e ciosac
Edital cope e ciosac
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter NavalCGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
CGCFN-1-8.1 - Manual de Operações de Paz de Caráter Naval
 
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKEThere's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
 
Mini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdfMini Manual for the Urban Defender v5.pdf
Mini Manual for the Urban Defender v5.pdf
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 

Ähnlich wie BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication

A Sober Look at Machine Learning
A Sober Look at Machine LearningA Sober Look at Machine Learning
A Sober Look at Machine LearningSven Krasser
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...MLconf
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...ForgeRock
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxpbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxJulie Tsai
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Sven Krasser
 
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...DATAVERSITY
 
Preventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being BreachedPreventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being BreachedFlawCheck
 
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?François-Guillaume Ribreau
 
Farewell to the Security Sandwich
Farewell to the Security SandwichFarewell to the Security Sandwich
Farewell to the Security SandwichThoughtworks
 

Ähnlich wie BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication (20)

A Sober Look at Machine Learning
A Sober Look at Machine LearningA Sober Look at Machine Learning
A Sober Look at Machine Learning
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...
Sergey A. Razin Ph.D., Chief Technology Officer, SIOS Technology at MLconf SE...
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxpbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptx
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
 
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...
Smart Data Webinar: Deep QA (Question/Answer) - Lessons From Watson and Jeopa...
 
Preventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being BreachedPreventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being Breached
 
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
 
Farewell to the Security Sandwich
Farewell to the Security SandwichFarewell to the Security Sandwich
Farewell to the Security Sandwich
 

Kürzlich hochgeladen

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication

  • 1. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICUFFS: THE RUMBLE OVER ADVERSARY SOPHISTICATION PAUL JARAMILLO
  • 2. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PAUL JARAMILLO Twitter @DFIR_Janitor Biography Currently: Principal Consultant @CrowdStrike Previously: § Fortune 500 Energy § Fortune 100 Manufacturing § Fortune 10 Conglomerate § Dept. of Energy § Fortune 100 Telecommunications Focused on Incident Response & Digital Forensics
  • 3. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. State of Affairs Sophistication vs Effectiveness Sophisticated Actor vs Attack Measurements of Sophistication Adversaries of Infamy Recommendations
  • 4. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. STATE OF AFFAIRS § Breachapalooza continues § Struggles to implement common critical controls § Continued resource misallocation on buzzwords & knee jerks § Massive inequality between InfoSec have’s and have nots § Dwell time improving § Board awareness & engagement vastly increasing § Defending failures with “Sophisticated”
  • 5. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. STATE OF AFFAIRS § You had me at “Sophisticated” Attack :-/ § Password dump, guessing, reuse § Phishing § Fake login portal § Common tools, exploits (mimikatz, wiper, etc) § Ancient vulnerabilities (JBoss, Cold Fusion, MS08-067, Wordpress, etc) § Ransomware Image Credit: reddit.com
  • 6. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATION VS EFFECTIVENESS § Why does sophistication matter so much to the arm chair incident responder? § We know it matters to security vendors J § Should it matter to the impacted org? § Tight correlation with chances for successful defense § “Commercially reasonable effort” scapegoat § Supports better resource allocation Image Credit: imgur.com
  • 7. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATION VS EFFECTIVENESS
  • 8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATED ACTOR VS ATTACK Rule #1 - Sophisticated Actor != Sophisticated Attack Sophisticated Actor = [Basic Attack … Sophisticated Attack] Image credit: xkcd.com
  • 9. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SOPHISTICATED ACTOR VS ATTACK Rule #2 - Sophisticated Actor != Zero Days Sophisticated Actor = [Code Reuse, Custom Malware, Custom Tools, Zero Days, Etc] On APT - “We personally do not believe in the advanced part of the acronym, unless the threats involve specific zero-day exploits” ORLY?
  • 10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MEASUREMENTS OF THREAT ACTOR SOPHISTICATION § Attack Precision § Cross-platform Capabilities § Targeting § OPSEC § Resilience § Stealth
  • 11. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - ATTACK PRECISION Ability of Threat Actor to closely align their planned attacks with an organization's given vulnerabilities, including overall efficiency § WEAK(1) – Spray & pray, exploit kits, Apache exploits against IIS, etc § BASIC(4) – Brute force, observable mistakes such as CLI typos, accidental AV & IDS detection § STRONG(7) – Skillful targeting of people, authentication & directory services § FIERCE(10) – Demonstrated mastery of unique business process, timing, and/or closed technologies
  • 12. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - CROSS PLATFORM CAPABILITIES Ability of Threat Actor to operate in a full spectrum of diverse technologies § WEAK(1) – PHP websites, cracked MS Windows § BASIC(4) – MS Windows client & servers, web servers § STRONG(7) – OSX, Linux, Unix, Android, IoT(?) § FIERCE(10) – Embedded computing, firmware, telecommunications & network gear, and other closed systems
  • 13. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - TARGETING Ability of Threat Actor to successfully compromise well-defended “hard” targets, as compared to ”soft” targets § WEAK(1) – Grandma, individual credit cards & banking, software licenses § BASIC(4) – Corporate brands, political causes, corporate wire fraud § STRONG(7) – Data theft, destruction or modification with grave damage to organization or national security implication § FIERCE(10) – Critical systems or processes (kinetic damage, financial catastrophe)
  • 14. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - OPSEC Ability of Threat Actor to avoid providing their adversaries with any useful information about them § WEAK(1) – Bragging that you did it, claiming responsibility § BASIC(4) – Observable tool marks, traceable personas § STRONG(7) – Breadcrumbs, diversified tools & infrastructure § FIERCE(10) – Frame someone else, clandestine, covert
  • 15. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - RESILIENCE Ability of a Threat Actor to maintain access in an organization’s environment § WEAK(1) – AV solves your problem § BASIC(4) – Indicator blocks, reimages, and password changes solves your problem § STRONG(7) – Complex remediation, requiring 3rd party assistance § FIERCE(10) – Source code compromise, Supply chain compromise, Human implant
  • 16. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTORS - STEALTH Ability of Threat Actor to avoid detection § WEAK(1) – Mass scanning, large phishing campaigns § BASIC(4) – “Smash & grab” aka immediate action on objectives § STRONG(7) – Less than 1 year average dwell time § FIERCE(10) – Greater than 1 year average dwell time with continued activity
  • 17. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Anonymous - 18 (2006 to Present, 2010 Operation Payback, 2011 HBGary) § Attack Precision (4) § Cross Platform Capability (4) § Targeting (4) § OPSEC (4) § Resilience (1) § Stealth (1) Image Credit: ArsTechnica
  • 18. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Carbanak/Carbon Spider - 35 (2013 to Present, Swift attacks, Hotel chains, Retail, etc) § Attack Precision (10) § Cross Platform Capability (7) § Targeting (4^) § OPSEC (4) § Resilience (4) § Stealth (4) Image Credit: Buzzfeed
  • 19. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Silent Chollima/DarkSeoul - 36 (2009 to Present, South Korea, Sony, etc) § Attack Precision (7) § Cross Platform Capability (4) § Targeting (7) § OPSEC (4) § Resilience (7) § Stealth (7) Image Credit: KnowYourMeme
  • 20. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Axiom/Aurora Panda/APT17 - 51 (2009 to Present, Google, Adobe, Bit9, etc) § Attack Precision (10) § Cross Platform Capability (7) § Targeting (10) § OPSEC (7) § Resilience (7) § Stealth (10) Image Credit: people-you-knew.tumblr.com
  • 21. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY Equation Group - 60 (1996 to Present, Stuxnet, Flame, Grayfish) § Attack Precision (10) § Cross Platform Capability (10) § Targeting (10) § OPSEC (10) § Resilience (10) § Stealth (10) Image Credit: Kaspersky
  • 22. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES OF INFAMY
  • 23. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOMMENDATIONS § Before calling out an organization § Could you detect it? Prevent it? Image Credit: quickmeme.com
  • 24. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOMMENDATIONS Become a better defender and threat intelligence consumer 1. Collect & analyze all indicators, TTPs, and associated context around your own incidents using Kill Chain model 2. Complete your own organizational threat profile 3. Collect & analyze available data around threat actors targeting your organization using the ACTOR model 4. Proactively provide messaging around high visibility threats & risks 5. Align organizational priority around your biggest threats (e.g. new controls, threat hunting, M&A, people, etc)
  • 25. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS? Image Credit: memecrunch.com