AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Similar documents
FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How Breaches Really Happen

10 FOCUS AREAS FOR BREACH PREVENTION

CyberArk Privileged Threat Analytics

Assessing Your Incident Response Capabilities Do You Have What it Takes?

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Incident Scale

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Part 2: How to Detect Insider Threats

Security & Phishing

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Cyber Insurance: What is your bank doing to manage risk? presented by

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Segmentation for Security

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

RSA INCIDENT RESPONSE SERVICES

2017 Annual Meeting of Members and Board of Directors Meeting

Integrated Access Management Solutions. Access Televentures

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

PrecisionAccess Trusted Access Control

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Five Best Practices to Manage and Control Third-Party Risk

Building Resilience in a Digital Enterprise

Crash course in Azure Active Directory

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

RSA INCIDENT RESPONSE SERVICES

RSA NetWitness Suite Respond in Minutes, Not Months

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Identity & Access Management

Remediating Targeted-threat Intrusions

CYBERARK GDPR ADVISORY. SECURE CREDENTIALS. SECURE ACCESS. A PRIVILEGED ACCOUNT SECURITY APPROACH TO GDPR READINESS

The Cyber War on Small Business

Copyright

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

MODERN DESKTOP SECURITY

You ve Been Hacked Now What? Incident Response Tabletop Exercise

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cyber Security Updates and Trends Affecting the Real Estate Industry

Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

THE EVOLUTION OF SIEM

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

with Advanced Protection

Insiders: The Threat is Already Within

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

ANATOMY OF AN ATTACK!

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Incident Play Book: Phishing

Cyber security tips and self-assessment for business

Service Provider View of Cyber Security. July 2017

2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

Web Application Security. Philippe Bogaerts

Becoming the Adversary

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

The State of the Hack. Kevin Mandia MANDIANT

Cybersecurity The Evolving Landscape

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Critical Hygiene for Preventing Major Breaches

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Secure access to your enterprise. Enforce risk-based conditional access in real time

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

ID Theft and Data Breach Mitigation

Managing an Active Incident Response Case. Paul Underwood, COO

INSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Cyber Security Incident Response Fighting Fire with Fire

Teradata and Protegrity High-Value Protection for High-Value Data

Cybersecurity Auditing in an Unsecure World

6 Vulnerabilities of the Retail Payment Ecosystem

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Modern Realities of Securing Active Directory & the Need for AI

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Operationalizing the Three Principles of Advanced Threat Detection

Office 365 Buyers Guide: Best Practices for Securing Office 365

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Keep the Door Open for Users and Closed to Hackers

Securing the New Perimeter:

Cyber Security Audit & Roadmap Business Process and

the SWIFT Customer Security

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Transcription:

AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller BakerHostetler Counsel, Privacy & Data Protection Team

Agenda The importance of authentication Detection Investigation and Response

The importance of authentication CAN SWAP PICTURE OUT

Authentication Authentication is the act of validating an identity for the purposes of accessing <something> Used for tracking access to objects Authentication is a complex and sometimes misunderstood aspect of information security Significant issue with authentication is the trust placed by objects once authentication has taken place

Core authentication types Single factor authentication Passwords Biometrics Multi-factor authentication Something you know + something you are/have Single Sign On (SSO) OAUTH Cookies

Authentication Is critical in proving/disproving legitimate vs. malicious activity Malicious insider vs. remote attacker Unwitting insider vs. malicious insider vs. remote attacker

Example auth criticality Hacked bank Attacker transferred large sums of money to multiple bank accounts Money transferred to other parties Money laundered through various business enterprises Was an insider involved? How do you prove the answer to this question?

The Legal challenges Notification laws are triggered by unauthorized access to certain data Uncertainty err on the side of caution? Worst case scenario Data outside coverage of notification laws Pursuing recovery of losses Other consequences

Detection CAN SWAP PICTURE OUT

Detection time 146 DAYS Median days for compromise to discovery External Notification Internal Discovery 320 days 56 days 3 days Average number of days for Mandiant red team to gain domain administrator credentials Need to think about security from the perspective of an attacker, not as a defender

Detection time 47% INTERNATIONAL DISCOVERY OF BREACH 53% EXTERNAL NOTIFICATION OF BREACH

Fundamental truths Breaches are inevitable but they can be mitigated The goal of any cyber security program: to eliminate the consequences of a cyber security breach, not necessarily the breach itself Every breach relies on authentication at some point in time Focusing on authentication is essential to detecting and responding to every breach

Are you prepared? Backdoor variants VPN subversion Sleeper malware Maintain Presence Move Laterally Net use commands Reverse shell access Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Social engineering Spear phishing e-mail with custom malware Custom malware Command and Control 3 rd- party application exploitation Credential theft Password cracking Pass-the-hash Critical system recon System, active directory & user enumeration Staging servers Data consolidation Data theft

Credential theft How do they get those credentials external to your network? Spear phishing Watering hole attack (strategic web compromise) Exposed through major breach Password re-use

Privilege escalation How do they get those credentials inside your network? Zero-day exploits Pass-the-hash (Mimikatz/WCE) Golden/silver ticket attack Vulnerable services running as admin File shares Code

Detecting credential misuse Understand all places where user authentication occurs Understand how authentication works in your environment All authentication logs must be sent to single location Perform correlation and time correction

Detecting credential misuse Create and tune rules for your organization Use geolocation Use machine learning/baselining Send email summarizing all activity to administrative users Ensure alerts are investigated thoroughly all malicious activity will leverage user credentials at some point

Use Case Client used two-factor authentication (password + token) to validate users on VPN Attacker modified server settings to create a temporary token (often used in conjunction with lost tokens) Attacker leveraged temporary token in conjunction with stolen credentials to authenticate to VPN as legitimate user MFA server stored configuration change information in a local log file evidence was there but no one was looking

Use Case what was missed Temporary token issued to user User authentication to VPN from <evil country> User authentication to VPN in anomalous fashion User that authenticated to VPN should not have been able to use Domain Administrator account after authenticating Domain Administrator account operating in anomalous fashion

Investigation & Response CAN SWAP PICTURE OUT

BakerHostetler Data Security Incident Response Report 2016

Examples external single factor VPN/OWA Cloud services (e.g., Outlook 365) Vendor portals (e.g., payroll, W2s)

Examples external single factor SSO (OAUTH 2.0 common) Third party malicious app intercepts traffic Attacker authenticates to application Attacker substitutes username w/ victim username Authentication successfully bypassed

Scenarios Internal single factor Admin access to segmented environments with sensitive data (e.g. cardholder data environment) Access to accounts that permit theft of funds Financial reporting systems reliance on internal controls?

Scenarios Account takeovers How were the credentials obtained? Whack-a-mole defense? Proactive notice? Impact Customer experience Alter reward/account value Resources Fraud losses 26

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback