Post-Access Cyber Defense



Similar documents
Discovering Threats by Monitoring Behaviors on Endpoints

5 Steps to Advanced Threat Protection

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Enterprise Cybersecurity: Building an Effective Defense

A Systems Engineering Approach to Developing Cyber Security Professionals

Enterprise Cybersecurity: Building an Effective Defense

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Protecting Your Organisation from Targeted Cyber Intrusion

Defending Against Cyber Attacks with SessionLevel Network Security

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Persistence Mechanisms as Indicators of Compromise

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

SAST, DAST and Vulnerability Assessments, = 4

Advanced Threat Protection with Dell SecureWorks Security Services

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Jort Kollerie SonicWALL

Where every interaction matters.

Comprehensive Advanced Threat Defense

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Practical Steps To Securing Process Control Networks

Hacking Database for Owning your Data

Alert (TA14-212A) Backoff Point-of-Sale Malware

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Locking down a Hitachi ID Suite server

Locked Shields Kaur Kasak 24 Sept 2013

Defending Against Data Beaches: Internal Controls for Cybersecurity

Secure Software Programming and Vulnerability Analysis

Certified Ethical Hacker Exam Version Comparison. Version Comparison

05 June 2015 A MW TLP: GREEN

Agenda , Palo Alto Networks. Confidential and Proprietary.

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Top 20 Critical Security Controls

Perspectives on Cybersecurity in Healthcare June 2015

Whitepaper. Advanced Threat Hunting with Carbon Black

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cyber Security Metrics Dashboards & Analytics

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

ICS-CERT Incident Response Summary Report

State of Security. Top Five Critical Issues Affecting Servers. Decisive Security Intelligence You Can Use. Read Our Predictions for 2013 and Beyond

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

IBM Security Strategy

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Security as Architecture A fine grained multi-tiered containment strategy

Update On Smart Grid Cyber Security

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SPEAR-PHISHING ATTACKS

Rational AppScan & Ounce Products

Dell Client BIOS: Signed Firmware Update

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

How To Create Situational Awareness

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

FREQUENTLY ASKED QUESTIONS

Developing Secure Software in the Age of Advanced Persistent Threats

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives

Taxonomic Modeling of Security Threats in Software Defined Networking

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

PENETRATION TESTING GUIDE. 1

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Nessus Agents. October 2015

Deep Discovery. Technical details

CYBERTRON NETWORK SOLUTIONS

CYBER SECURITY INFORMATION SHARING & COLLABORATION

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Chapter 15: Computer and Network Security

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Computer Security DD2395

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Windows Phone 8 Security Overview

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

The Protection Mission a constant endeavor

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

Protect Your Business and Customers from Online Fraud

Medical Device Security Health Group Digital Output

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Test Report

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

All Information is derived from Mandiant consulting in a non-classified environment.

Seven Strategies to Defend ICSs

Transcription:

Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited. 15-3647.

2 Cyber Security Technical Center 430+ technical staff solving cyber security challenges using a strong science and engineering foundation Leveraging broad and deep technical knowledge Serving as integrating back plane Bringing a strategic and objective technology perspective Providing thought leadership to cyber security work programs Technical Capability Areas System Security Engineering Cyber Resiliency & Cyber Situation Awareness Critical Enabling Security s Security for Enterprise & Cloud Architectures Cyber Assessments and Testing Mobile & Emerging Technologies Strategy, Policy, Privacy Cyber Partnerships, Sharing, & Automation Threat Based Operations (e.g., SOCs, Threat Intel) Threat-based Ops Systems Analysis & Reverse Engineering Mission Technologies (e.g., Insider Threat, Forensics) NIST RMF bits and bytes to policy and governance

Example: Phishing & Waterholing Attacks 3 IT administrators targeted and spear-phished Initial compromise and credential theft IT administrators credentials used to upload malware to patch server Malware distributed and executed via authorized, trusted channels South Korea, March 2013: 32,000+ computers & servers of banks and broadcasters rendered inoperable

Cyber Threat Model : ATT&CK Matrix Tactics and Techniques 4 Persistence Privilege Escalation Legitimate s Accessibility Features AddMonitor DLL Search Order Hijack Edit Default File Handlers New Path Interception Scheduled Task File Permission Weakness Shortcut Modification Web shell BIOS Hypervisor Rootkit Logon Scripts Master Boot Record Mod. Exist g Registry Run Keys Serv. Reg. Perm. Weakness Windows Mgmt Instr. Event Subsc. Winlogon Helper DLL Exploitation of Vulnerability Defense Evasion Binary Padding DLL Side- Loading Disabling Security Tools File System Logical Offsets Hollowing Rootkit Bypass UAC DLL Injection Indicator blocking on host Indicator removal from tools Indicator removal from host Masquerad-ing NTFS Extended Attributes Obfuscated Payload Rundll32 Scripting Software Packing Timestomp Access Dumping s in Files Network Sniffing User Interaction manipulation Host Enumeration Account File system Group permission Local network connection Local networking Operating system Owner/User Security software Window Lateral Movement Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Windows management instrumentation Windows remote management Remote s Replication through removable media Shared webroot Taint shared content Windows admin shares Execution C2 Exfiltration Command Line File Access PowerShell Hollowing Registry Rundll32 Scheduled Task Manipulation Third Party Software https://attack.mitre.org Commonly used port Comm through removable media Custom application layer protocol Custom cipher Data obfuscation Fallback channels Multiband comm Multilayer Peer connections Standard app layer protocol Standard nonapp layer protocol Standard cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium From local system From network resource From removable media Scheduled transfer

5 Improving Embedded Security (e.g., BIOS) BIOS (Basic Input/Output System) executes when a computer starts up before the OS loads UEFI (Unified Extensible Firmware Interface) is the de facto (Intel) BIOS standard 100s of vendors A BIOS attack, performed remotely, can result in permanent denial of service or persistent stealth backdoors BIOS vulnerabilities include: BIOS configuration errors: 20 configurations need to be set correctly with complex interdependencies Exploitable firmware vulnerabilities: enable attacker to bypass all configuration locks MITRE disclosed UEFI vulnerabilities to Intel in Nov/Dec 2013 and at BlackHat/Defcon in Aug 2014 500+ HP and 39+ Dell models affected and patched Other vendors products also affected UEFI Security Response Team stood up

Cyber Games and Behavioral Analytics 6 Living lab (enclave of operational enterprise network) 250 computers, primarily Windows 7 Blue Team: 100% detection of implants; 97% of systems accessed TTP Emulation Workstation Workstation Blue Team Red Team FMX Living Lab FMX Servers Target Server

7 Cyber Denial & Deception (D&D) Methodology Cyber-D&D Should be a strategic component of the active defense lifecycle Needs to be coordinated with intelligence and operations Deception Chain A model for planning, preparing, and executing deception operations Applicable at every phase of the intrusion lifecycle Should be used in conjunction with the D&D Methods Matrix for mapping and tracking operational objects and methods Outcomes Exercises/experiments (SLX II, FMX) with Deception Chain and D&D Methods Matrix Cyber-D&D book Ex. tactical D&D goals

8 CyGraph Cyber Stack Network Infrastructure Segmentation Topology Sensors Cyber Posture Configurations Vulnerabilities Policy rules Cyber Threats Campaigns Actors Incidents Indicators TTPs Mission Dependencies Objectives Activities Tasks Information Relevant to Cyber Security & Mission Assurance

Cyber Physical Resiliency 9 1) GPS Altitude Spoofing 2) Controllers over respond Safety Stability Efficiency 3) UAV loses stability Environment Controller Command Measurement Operator System Actuator Sensor Physical System

Notional Post-Access Cyber Defense Gaps 10 Persistence Privilege Escalation Legitimate s Accessibility Features AddMonitor DLL Search Order Hijack Edit Default File Handlers New Path Interception Scheduled Task File Permission Weakness Shortcut Modification Web shell BIOS Hypervisor Rootkit Logon Scripts Master Boot Record Mod. Exist g Registry Run Keys Serv. Reg. Perm. Weakness Windows Mgmt Instr. Event Subsc. Winlogon Helper DLL Exploitation of Vulnerability Defense Evasion Binary Padding DLL Side- Loading Disabling Security Tools File System Logical Offsets Hollowing Rootkit Bypass UAC DLL Injection Indicator blocking on host Indicator removal from tools Indicator removal from host Masquerad-ing NTFS Extended Attributes Obfuscated Payload Rundll32 Scripting Software Packing Timestomp Access Dumping s in Files Network Sniffing User Interaction manipulation Host Enumeration Account File system Group permission Local network connection Local networking Operating system Owner/User Security software Window Lateral Movement Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Remote s Replication through removable media Shared webroot Taint shared content Windows admin shares Detect Partially Detect No Detect Windows management instrumentation Windows remote management Execution C2 Exfiltration Command Line File Access PowerShell Hollowing Registry Rundll32 Scheduled Task Manipulation Third Party Software Commonly used port Comm through removable media Custom application layer protocol Custom cipher Data obfuscation Fallback channels Multiband comm Multilayer Peer connections Standard app layer protocol Standard nonapp layer protocol Standard cipher Uncommonly used port https://attack.mitre.org Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium From local system From network resource From removable media Scheduled transfer

Questions? swarup@mitre.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information