Understanding Threat Intelligence In Today s Layered Security World

Transcription

1 Understanding Threat Intelligence In Today s Layered Security World Matthew Brimer CEH, CHFI, MCITP, CCNA Security, SEC+ Data Engineer Security Solutions Architect matthew.brimer@interworks.com

2 The Obligatory About Me Page (and shameless plugs) 9 years experience with SQL Server 3 were spent as Senior DBA and Database Security Specialist for The Defense Information Systems Agency, a Department of Defense Agency Database Manager and Security Manager for the leader in independent retail pharmacy services Hold several Security and Microsoft Certifications President of the Oklahoma City Professional Association of SQL Server (PASS)User Group OKCSQL Previous Chairman for SQL Saturday

3

4 Does Anybody Actually Read These Things (or Care)?

5 DATA BREACHES 75%

6 DATA BREACHES 75%

7 ATTACK PHASES INITIAL CONTACT LOCAL EXECUTION ESTABLISH PRESENCE MALICIOUS ACTIVITY

8 ATTACK PHASES INITIAL CONTACT LOCAL EXECUTION ESTABLISH PRESENCE MALICIOUS ACTIVITY Malicious Websites Messages Peripherals (USB Drives, Thumb Drives, Cell Phones)

9 ATTACK PHASES INITIAL CONTACT LOCAL EXECUTION ESTABLISH PRESENCE MALICIOUS ACTIVITY Password Flaws Operating System Flaws Website Browsing Software Flaws

10 ATTACK PHASES INITIAL CONTACT LOCAL EXECUTION ESTABLISH PRESENCE MALICIOUS ACTIVITY Survive Reboot Hide From Security Software Block Updates Disable OS Functions Change Security Settings

11 ATTACK PHASES INITIAL CONTACT LOCAL EXECUTION ESTABLISH PRESENCE MALICIOUS ACTIVITY Identity Theft Banking Information Customer Records Intellectual Property

12

13 NEVER ENDING CHALLENGE

14 NEVER ENDING CHALLENGE right?

15

16

17 OTHERTHANANATTACKS, WHAT IS YOUR BIGGEST THREAT?

18

19 Things are rapidly improving year over year! The time it takes to discover a breach has been reduced over the years: Days Days Days The AVG Cost of a breach is currently $4,000,000 dollars

20

21

22

23

24 How Many Sources of Time do you have? Even if you are using NTP, time drift is still a serious concern A LOT of companies don t even bother setting the date/time on their network devices

25

26

27

28 Could anything have prevented these attacks? The typical answer is Maybe.

29 Could anything have prevented these attacks? What if I had a NIDS/NIPS? What if the traffic was encrypted? What if it s been going on for so long that it s baselined as normal traffic? What about anti malware products? What if the malware doesn t have a known signature?

30 Could anything have prevented these attacks? TIME = $$$ Advanced Products = $$$ $$$=Budgets Budgets=Fortunetelling

31

32 Could anything have prevented this attack? Anything else? There are other security products on the market that can do some pretty incredible things. Even ISP s are changing how they handle traffic!

33 Prevent what you can, mitigate what s left, but you should always know what s going on in your environment!

34 RISE OF THE SIEM SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) Some SIEM s can: act as a NIDS/NIPS deploy agents system and software inventory penetration testing and vulnerability assessments But it s main function is correlating and reporting on events

35

36

37 MOST COMMON QUESTIONS Brute Force Attacks Multiple failed logins, followed up by a successful login Insider Threat Usage Monitoring, Policy Compliance Unusual USB activity Application Monitoring Unusual Application activity Covert Channels Vulnerable Patch Version Out of date AV signatures Log Sources Suspect log behavior or logs not reporting

38 REFERENCES Virus Detection.jpg/902px Computer Virus Detection.jpg intelligence october 2016

39 THANK YOU! Matthew Brimer Security Solutions Architect