OODA Security. Taking back the advantage!

Similar documents
DLP FAIL!!! Using Encoding, Steganography and Covert Channels to Evade DLP and other Critical Controls

Incident Response Tools

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

How Breaches Really Happen

Reduce Your Network's Attack Surface

Forensic Network Analysis in the Time of APTs

ArcSight Activate Framework

UKNova s Getting Connectable Guide

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

To learn more about Stickley on Security visit You can contact Jim Stickley at

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Securing CS-MARS C H A P T E R

The Crossed Swords wargame: Catching NATO red teams with cyber deception

Colin Gibbens Director, Product Management

Case Study. Partnering with Topsec. Use any 3D app, on any device, delivered from the Cloud

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

15 Minute Traffic Formula. Contents HOW TO GET MORE TRAFFIC IN 15 MINUTES WITH SEO... 3

The Value of Automated Penetration Testing White Paper

Sucuri Webinar Q&A HOW TO IDENTIFY AND FIX A HACKED WORDPRESS WEBSITE. Ben Martin - Remediation Team Lead

LEARN READ ON TO MORE ABOUT:

Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function.

Transforming Security from Defense in Depth to Comprehensive Security Assurance

How to Build a Culture of Security

Train employees to avoid inadvertent cyber security breaches

SOC Operations on the Autobahn. Don t let the green grass fool you

Managing an Active Incident Response Case. Paul Underwood, COO

Network Defenses 21 JANUARY KAMI VANIEA 1

PROTECTING THE ENTERPRISE FROM BLUEBORNE

Cisco Firepower NGIPS Tuning and Best Practices

Mobile County Public School System Builds a More Secure Future with AMP for Endpoints

I Was APT d. What Did They Steal?

Create a Login System in Visual Basic. Creating a login system. Start a new visual basic Windows Forms application project. Call it Login System

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

CSE 565 Computer Security Fall 2018

whitepaper: Whitelisting Without The Complexity

WHITE PAPER. Best Practices for Web Application Firewall Management

Installing and Configuring the Voice UPB Bridge updated 1-Jan-2019

Traditional Security Solutions Have Reached Their Limit

Network Defenses 21 JANUARY KAMI VANIEA 1

Firewalls, Tunnels, and Network Intrusion Detection

Everything you need to know about cloud. For companies with people in them

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Active Defence A chance to fight back. Dott. Agostino PANICO Rome, 09/06/2016

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Leveraging Threat Intelligence on your SOC operations

A quick-reference guide to secure your organization s data and reduce cybersecurity attacks

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Novetta Cyber Analytics

SharePoint 2013 Site Owner

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

A Case for Host-based Information Security

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

Base64 The Security Killer

Balancing the pressures of a healthcare SQL Server DBA

6 counterintuitive strategies to put your list building efforts into overdrive

Lie. Cheat. Deceive. How to Practice the Art of Deception at Machine Speed

Personal Physical Security

What about when it s down? An Application for the Enhancement of the SAS Middle Tier User Experience

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Ethical Hacking Series: 0x01 - Hacking Methodologies. JaxHax Makerspace Travis Phillips

Intrusion Detection Systems

Cyber Security Detection Technology for your Security Operations Centre. IT Security made in Europe

Network Defenses KAMI VANIEA 1

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Reliable programming

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

About Me. SCADA and Me: A Book for Children and Management Little Bobby

Infrastructure in Transition; Securing Your Cloud Environment

Vitheia IoT Services

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

The First 12. An Hour-by-Hour Breakdown of a Threat Actor Inside Your Environment. Dr. Chase Cunningham ECSA,

Lie, Cheat and Deceive: Change the Rules of Cyber Defense

Building a Smart Segmentation Strategy

The Wonderful World of Services VINCE

BOTNETS ON LARGE NETWORKS

CyberArk Privileged Threat Analytics

Wireless Security Algorithms

The Internet of Things. Steven M. Bellovin November 24,

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

CompTIA Security+(2008 Edition) Exam

Reducing the Cost of Incident Response

OCR Interfaces for Visually Impaired

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Offensive Security. Learn to think as an attacker. The aim of this talk is to discover why and how you can use OS X and vsphere together

Fighting Phishing I: Get phish or die tryin.

Installing and Configuring the Voice UPB Bridge updated 22-Jan-2018

CYBER SECURITY FOR BUSINESS COUNTING THE COSTS, FINDING THE VALUE

Embedded Linux Day 2

All Paging Schemes Depend on Locality. VM Page Replacement. Paging. Demand Paging

Catching up with today's malicious actors. Current security posture and future possible actions. OWASP EEE Bucharest Event 2015 Adrian Ifrim

Using GitHub to Share with SparkFun a

NETWORK SECURITY. Ch. 3: Network Attacks

Transcription:

OODA Security Taking back the advantage!

About Me Kevin Fiscus Owner Cyber Defense Advisors 24 Years in IT 13 Years in security SANS Certified Instructor GIAC Security Expert Cyber Guardian Red/Blue Team

The Bad News The average company finds out about a breach from a third party The average company has been breached for a year before detection Those are averages, meaning roughly half of companies are breached for more than a year before detection That is a problem!

First - OODA Concept developed by USAF Colonel John Boyd for fighter pilots Observe Orient Decide Act Complete the loop first and fly home Complete the loop last, take a short trip down

Information Security? What do fighter pilot concepts have to do with information security?

Let s Change the Venue Close your eyes Think about your home It s night and a sound wakes you Think about all of the normal sounds Your furnace, the steam heat, your cat Assume it is NOT normal How quickly would you be able to determine what and where

It s a Bad Guy OK, so it s a bad guy in your house You know your house, he doesn t You know where to hide, or where he could be hiding You know how to get out You know where your phone (gun) is Assuming minimal preparedness, chances are that you win because you complete OODA first

Another Situation You get home late at night You walk in your house There are lights on you turned off Things have been moved Someone has gone through your stuff Things are missing Obvious, right?

The Point? In familiar environments, we have the OODA loop advantage Why is it then, that most organizations only find out about a breach via a 3 rd party? Why is the average company breached for a year before detection? Why do we fail to complete the OODA loop?

Attackers Are Super Sneaky Ah, no! Not really Attackers do not behave like legitimate users They attempt to learn the environment Legitimate users (and often admins) know where they need to go and go only there (for the most part)

Standard Attack Methodology Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks

Sneaky Bits Gaining Access can be difficult to detect IDS/IPS may detect exploit Application logs may show crashes or service restart Covering Tracks is meant to be difficult to detect Recon often never touches the target But what about scanning?

Scanning is EASY to Detect Every firewall log is filled with scanning External IDS/IPS systems constantly alerting to scanning The problem is not detecting scanning but rather filtering through the noise As a result, detecting scanning at the network perimeter is not usually reasonable Maybe there is a better way

Users are Predictable Users don t need to understand the network They know what buttons to push to do their jobs Sending email, accessing corporate applications, storing files on the S drive (whatever that is) Almost all traffic is from end user computer to some servers or from server to server Virtually no traffic from end user system to other end user systems

Attackers are Blind Imagine you walk into a new house blind You learn the environment by bumping into things Most attackers do the same things Gain access inside the network Ping sweep, port scan, DNS recon, vul scanning Not activities of normal users and easy to spot, if we are looking

But Monitoring is HARD HARD = expensive, time consuming, resource intensive, etc. Deploying a NIDS or NIPS to cover your entire internal network Deploying HIPS or HIDS throughout your entire environment Purchasing SIEM solutions and configuring logging everywhere Difficulty is relative to size Large organizations may have budget but massive complexity Small organizations have simple environments but no budget

There is an Easier Way Let us start very simply - netcat nc l p 80 Assume this is run on your laptop Should anyone be connecting to your laptop on port 80? Check the listener, if it s not running, someone did something unexpected and your OODA loop starts

Getting A Little More Complex How about this: nc l p 80; date >> trigger.txt Now you know when the connection happened Using the -L option on Windows or a loop in Linux establishes a persistent listener

Even Cooler [root@locm ~]#while [ 1 ]; echo "started ; do IP=`nc -v -l -p 2222 2>&1 1>/dev/null grep from cut -d[ -f 3 cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP; done

Let s Expand the Coverage Egress filtering on the firewall Allow anything required for business but block everything else Log all blocked traffic Not perfect Attackers will often use common ports (80, 53, 443, etc.) Good egress filtering is uncommon so often attacker will use FTP, TFTP or other ports to download their tools Attackers will often use one victim to scan for others Don t forget about malware

Even Better Break your network into VLANs Does require a managed switch VLANs should largely mirror the business Allow all necessary traffic between VLANs Block and log all else Any blocked traffic is an attacker, a user doing something wrong, a misconfiguration or a bad block rule (all are things you want to know about)

But That Is Difficult!!! Yes, and no Depends on the level of granularity Consider 2 VLANs; servers and users Expand to 3 VLANs; servers, standard users and IT users Incremental steps are perfect

Other OODA Accelerators Create common but unlinked pages on web sites Rename the Administrator account then create a fake account named Administrator Create fake but sensitive sounding documents Log access to all of the above Creativity leads to more ideas this is not an exhaustive list

Benefits Easy to set up Fairly low maintenance Fairly low false positives Accelerates out OODA loop If done carefully, difficult for an attacker to detect

How? First, understand what is normal Required to define what needs to be allowed Necessary because detecting abnormal is extremely difficult if you don t know normal Consider the difficulties of configuring NIDS They are designed to detect bad, not deviations from good Require a LOT of tuning Basically, blacklisting technology so difficult to managed

Limitations OODA acceleration is not designed to be 100% effective Based on the fact that the vast majority of attackers walk around your network blind and thus run into a lot That is OK because the attackers only need to trip one sensor

Not All or Nothing Designed to improve over existing controls Incremental improvements are wonderful A single NetCat listener can make the difference between detection and undetected compromise Ideas can scale from the largest environments to the smallest but those in the middle will benefit the most

Questions Kevin Fiscus http://www.cdasecurity.com http://www.facebook.com/cyberdefenseadvisors http://www.facebook.com/kevinbfiscus http://www.linkedin.com/in/kevinbfiscus kfiscus@cdasecurty.com kfiscus@sans.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback