State of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges

Transcription

1 State of the (Information Security) Union (or: How not to use Krebs as an IDS ) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges

2 My background IT Systems / Network Administrator for City of Central Point, Oregon Web and Network Penetration Tester Computer Forensics Incident Response SANS Instructor Information Technology Security Challenge Creation My specialty? Cross-discipline skills in IT that reinforce one another.

3 What I ll be talking about today... How to identify and develop talent within your organization To help defend your organization To make you and your employees more valuable To identify breaches earlier To identify weaknesses in current preventative and detective controls

4 How many here are directly or indirectly responsible for information security at your organization?

5 How many here read the reports of Brian Krebs?

6 Bonus points -- when was the Target breach disclosed?

7 Source: International Business Times, Timeline of Target's Data Breach And Aftermath

8 Some recent Krebs articles...

9 How many here read the Verizon Data Breach Incident Reports?

10 Breach Discovery Methods Source: 2013 Verizon DBIR

11 What if this happened to you?

12

13 Read: Brian Krebs informs you (and the world) publicly

14 How would you feel about seeing this? It s not an unusual way to discover a breach Nor is it uncommon to experience a security breach: For businesses, the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months. -- Experian, 2015 Second Annual Data Breach Industry Forecast (February 2015)

15 How do you know you re not compromised now? You can t prove a negative.

16 How long does it take to be breached? How long does it take to notice? Source: 2015 Verizon DBIR

17 What Defense Isn t (only) About Setting up static defenses and hoping attackers don t make it past them Intrusion Detection / Prevention Systems Firewalls Antivirus Software updates

18 What Defense Is About, Fundamentally 1. Lengthening the time it takes for an attacker to accomplish their goals 2. Decreasing the time it takes to detect and eradicate an attacker from your network

19 What Defense Is About, Fundamentally Make this go down Make this go up

20 Hardware and Software Can t Solve Your Problems (by themselves) Remember, Target Corporation has ~$72 billion in revenue IT budget is usually around 5% of revenue, or ~$3.6 billion IT Security budget is usually around 5% of IT budget, or ~$180 million* How does your budget compare? You can t out-spend the Fortune 100! *Yes, these are very rough numbers

21 Hardware and Software Can t Solve Your Problems (by themselves) Look at the recent mega-breaches: Home Depot Blue Cross / Blue Shield Target Office of Personnel Management City of New York You can t buy hardware to solve the IT Security Problem

22 Well, what does help? Learn from the data, and discover for yourself what the attacks are and what works to defend: Not from me Not from your vendor with $SOME_SHINY_DEVICE or $SOME_NEW_SOFTWARE Not from trade magazines Not from advertisements in airports Because the above list has more bias than fairly collected data My rule -- always keep biases in mind.

23 Especially not airport advertisements... Stops 99% of malware attacks before they happen. Let us prove it.

24 Well, how does the data suggest breaches happen? Source: Tripwire, Home Depot Breach Reveals Similarities to Target Breach (Nov 2015)

25 Does that look complicated?

26 Does that look complicated? It isn t, really.

27 No, really. Source: 2015 Verizon DBIR

28 Why I love my job (Part 1) I get to build these exact scenarios, soon after we re aware of the methodology Many defenders want to test these scenarios, but testing in production is Very Frowned Upon Both Counter Hack and SANS are committed to giving back to the community, including a number of freely-available resources.

29 Why I love my job (Part 2) By building these scenarios, there s a safe place for you to: Walk through the attack Understand how each component works Understand the forensic artifacts of the attack that: Would exist in the production network Could exist in the production network, with changes Understand why defenses would stop an attack or fail to do so I ll talk about ready-made scenarios and how to build your own, and I ll be here for the Q&A as well!

30 Defense in Learn From Others Play Offense and Defense Red teaches Blue; Blue teaches Red Improve defenses, artifacts, response time GOTO Step 1

31 Definitions Red Team: Red teaming is the practice of viewing a problem from an adversary or competitor s perspective. ~~ Red Team Journal ( Red teaming can take many forms. Example -- full-scope, long-term engagement versus targeted testing of specific actions. Blue Team: The defense side, opposite Red Team.

32 Defense in Learn from Others Actively gain intelligence on how your vertical is being compromised Verizon DBIR Brian Krebs breach analyses (for organizations in your vertical) Open communication with similar companies Threat Intelligence feeds (if needed)

33 Defense in Play Offense and Defense Test attacker s strategies on your own infrastructure Often mocking up a network using virtualization When Blue Team can t find forensic artifacts of Red Team s actions, discuss Examples: Test a number of various common phishing attempts against specifically-named users (HTA application, Office macros, Java applets, zipped executables) Test a number of payloads (Meterpreter, raw command shell, PowerShell Empire

34 Defense in Red teaches Blue; Blue teaches Red Whenever Red Team performed a significant action that Blue Team can t point to forensic artifacts for: Add additional preventative and detective controls Examples: Wait, you used Mimikatz on that box? How d you do that? I couldn t tell! How d you go from local Administrator on that box to Domain Admin? I thought you wouldn t be able to do that. Oh, you installed a new Windows service for your malware persistence? We should probably alert on those Event Logs in Splunk

35 Defense in Improve defenses, artifacts, response time Add additional preventative and detective controls, specifically Make it take longer for an attacker to win : Network segmentation Multi-factor authentication Remove low-hanging fruit (Nessus scan, filter for Public Exploit Available ) Make it easier to find active attackers on your network: Blue Team should be able to describe Red Team s actions

36 Defense in GOTO Step 1 Red teaming is an iterative cycle Once Blue Team can detect and respond to Red Team (or prevent them entirely), it s time for Red Team to up their game! This is a long-term goal, to be clear!

37 So, how do you start this cycle? First, identify and develop internal talent for Red and Blue Team members Red Team can be external, but Blue Team shouldn t be Dedicate resources to learning Time and/or money. Dedicating both seems more effective.

38 How about some specifics? SANS is incredibly dedicated to supporting the community My company, Counter Hack Challenges, spends hundreds of staff hours on Holiday Hack Challenges... and then give them away for free! From 2002 to 2015, and we have big plans for 2016! We also keep these challenges online and freely-available forever.

39 Remember that breach overview?

40 Let s walk through (less than half of) a CyberCity mission! The HVAC mission is very similar to this common breach pattern Let s take a look from a participant s point of view Important caveat: this mission is intentionally more difficult than many breaches (Pardon me while I pray to the demo gods )

41 Hands-on learning through NetWars Individual learning -- NetWars Continuous Individual or team-based competition and evaluation -- NetWars Tournament Team scenario-based exercises -- NetWars CyberCity

42 NetWars Continuous Individual Learning-focused Automated hints support

43 NetWars Tournament

44 NetWars CyberCity

45 DIY network mockups VMware Workstation pfsense networking modern.ie Windows clients Windows Server 180-day evaluations IceCast vulnerability ( com/db/modules/exploit/windows/http/icecast_header) Metasploitable v2