Defending Against Attacks by Modeling Threat Behaviors

Similar documents
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

2012 Data Breach Investigations Report

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Information Security and Risk Management

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

DBIR INDUSTRY SNAPSHOT: FINANCE AND INSURANCE

Threat Modeling. 1. Some Common Definition (RFC 2828)

V ISA SECURITY ALERT 13 November 2015

2010 Data Breach Investigations Report

Advanced Persistent Threats

2015 TRUSTWAVE GLOBAL SECURITY REPORT

Point of Sale System Architecture and Security. Lucas Zaichkowsky

How To Create Situational Awareness

Speaker Info Tal Be ery

Certified Ethical Hacker Exam Version Comparison. Version Comparison

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

INVESTIGATIONS REPORT

Information Security Organizations trends are becoming increasingly reliant upon information technology in

CYBERTRON NETWORK SOLUTIONS

Practical Steps To Securing Process Control Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cybersecurity Awareness. Part 1

Application Security Testing. Generic Test Strategy

Protecting Your Organisation from Targeted Cyber Intrusion

Detailed Description about course module wise:

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Client logo placeholder XXX REPORT. Page 1 of 37

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Impact of Data Breaches

Ed Ferrara, MSIA, CISSP Fox School of Business

RSA Security Anatomy of an Attack Lessons learned

Hard vs. Soft Tokens Making the Right Choice for Security

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Understanding Security Testing

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Why The Security You Bought Yesterday, Won t Save You Today

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Microsoft STRIDE (six) threat categories

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

IBM Security Strategy

Alert (TA14-212A) Backoff Point-of-Sale Malware

2012 Global Threats and Trends

SECURITY 2.0 LUNCHEON

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

IBM Protocol Analysis Module

APT Advanced Persistent Threat Time to rethink?

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Information Security for the Rest of Us

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Presented by Evan Sylvester, CISSP

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Post-Access Cyber Defense

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Advanced Persistent Threats

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

September 20, 2013 Senior IT Examiner Gene Lilienthal

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Web App Security Audit Services

The Application Usage and Threat Report

APPLICATION THREAT MODELING

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

OWASP AND APPLICATION SECURITY

10 Smart Ideas for. Keeping Data Safe. From Hackers

RMAR Technologies Pvt. Ltd.

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

That Point of Sale is a PoS

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Security and Privacy

IT Security Risks & Trends

After the Attack. The Transformation of EMC Security Operations

IBM Security Services 2014 Cyber Security Intelligence Index

CEH Version8 Course Outline

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Web application testing

Application Security Testing

Transcription:

Defending Against Attacks by Modeling Threat Behaviors John Benninghoff Transvasive Security Transparent and Pervasive Security

2013 Verizon DBIR Recommendations What can we do about it? Collect, analyze and share incident data to create a rich data source that can drive security program effectiveness.

Identifying security design flaws THREAT MODELING

Basic Threat Modeling Approach Review system design Enumerate all possible threats Identify potential vulnerabilities Address risks Address Risks Identify Vulnerabilities Review Design Enumerate Threats

What s wrong with Threat Review system design Enumerate all possible threats Identify potential vulnerabilities Address risks Modeling?

What s wrong with Threat Review system design Enumerate all possible threats Identify potential vulnerabilities Address risks Modeling?

What s wrong with Threat Review system design Enumerate all possible threats Identify potential vulnerabilities Address risks Modeling?

What s wrong with Threat Modeling? Review system design Enumerate all possible threats Identify vulnerabilities Address risks Avoid Control Accept Transfer

STRIDE addresses some of the problems with Threat Modeling Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

Other methods of Threat Modeling are also problematic DREAD CVSS AS/NZS 4360:2004 OCTAVE Trike and PASTA

Threat modeling using known threat behaviors KNOWN UNKNOWNS

Behavioral Threat Modeling is tailored to human cognition Behavioral Threat Modeling is a way to run simulated attacks against your system in the design stage models actual attackers using incident and intelligence data is designed to be quick and easy to use automatically prioritizes likely threats is a simple model predicting no change in current situation

Profile attackers by their behavior, not their background Exceptional Case Study Project National Threat Assessment Center Insider Threat Study (NTAC/CERT)

Attackers have consistent behavior patterns 2012 Verizon DBIR Threat Action pairs If we look further at these top 25 pairs (again, representing 81% of the almost 4000 pairs), we see that they are just different combinations of eight threat actions

Attackers have consistent behavior patterns When malware was used to exfiltrate data, 98% of the time it was paired with keylogging functionality. 98% of backdoors installed were paired with exploitation of the backdoor. 91% of the 276 breaches leveraging stolen credentials also had keyloggers installed. When default or easily guessable credentials were used (in 379 incidents), 57% of the time a keylogger was installed and a backdoor was present in 47%. Out of the 174 backdoors installed, 61% were also seen with a keylogger. 73.6% of people will believe a statement that includes a statistic, even if it is completely made up. More analysis: http://securityblog.verizonbusiness.com

United States 18% Bulgaria 7% Russia 5% Netherlands 1% Attackers have consistent behavior 1% Armenia Germany Colombia 1% 1% Brazil 1% patterns Financial Espionage Other 398 Table 1: Profiling threat actors ORGANIZED CRIME STATE-AFFILIATED ACTIVISTS VICTIM INDUSTRY Finance Retail Food Manufacturing Professional Transportation Information Public Other Services REGION OF OPERATION Eastern Europe North America East Asia (China) Western Europe North America COMMON ACTIONS Tampering (Physical) Brute force (Hacking) Spyware (Malware) Capture stored data (Malware) Adminware (Malware) RAM Scraper (Malware) Backdoor (Malware) Phishing (Social) Command/Control (C2) (Malware, Hacking) Export data (Malware) Password dumper (Malware) Downloader (Malware) Stolen creds (Hacking) SQLi (Hacking) Stolen creds (Hacking) Brute force (Hacking) RFI (Hacking) Backdoor (Malware) TARGETED ASSETS ATM POS controller POS terminal Database Desktop Laptop/desktop File server Mail server Directory server Web application Database Mail server DESIRED DATA Payment cards Credentials Bank account info Credentials Internal organization data Trade secrets System info Personal info Credentials Internal organization data Table 1 pretty much speaks for itself, so we won t belabor the point except to say that it s based directly on our dataset rather than anecdotes. Items appear in order of prevalence among breaches attributed to each threat actor variety. Happy profiling! 22

BTM uses a simple attack lifecycle Preparation Execution Withdrawal

Threat Profiles describe attacks observed in the wild

Threat Profiles are built using BTM attack lifecycle and VERIS Attack Phase Attack Classification (using VERIS) Agent Action Asset Attribute Frequency Details

BTM system modeling is flexible Basic Web Server Architecture Web Client Web Server Database Server RDP

Use the threat profile and system model to simulate the attack Basic Web Server Architecture Web Client Web Server Database Server RDP

Threat Profile: POS RDP Attack Phase Frequency Description Preparation Sometimes Attacker obtains POS RDP credentials (through theft, purchase, hacking, social engineering, etc.) Preparation Always Attacker compromises server systems to be used for attack, FTP servers to receive exflitrated data Preparation Always Attacker scans internet for listening RDP servers Execution Always Attacker tests a list of usernames and passwords or uses password cracking tools Execution Always Attacker installs malware to grab credit card data from POS system Execution Always Attacker sends credit card data to FTP site controlled by attacker Withdrawal Always Attacker disguises identity through use of compromised server and FTP systems

Threat attacks POS System Attack Sequence Attacker obtains POS RDP credentials Attacker compromises servers for attack Attacker scans internet for RDP servers Attacker uses password cracking tools Attacker installs malware to get credit card data Attacker sends data to FTP server Attacker disguises identity (withdrawal) Point-of-Sale Logical Diagram Card Reader Internet RS232 Bank Server SSL POS Terminal RDP

Threat attacks Web Server Attack Sequence Attacker obtains POS RDP credentials Attacker compromises servers for attack Attacker scans internet for RDP servers Attacker uses password cracking tools Attacker installs malware to get credit card data Attacker sends data to FTP server Attacker disguises identity (withdrawal) Basic Web Server Architecture Web Client Web Server Database Server RDP

Threat Profile: Generic Malware Attack Phase Frequency Exfiltration Description Preparation Always Attacker obtains custom malware package that includes backdoors, keylogger, data exfiltration Preparation Always Attacker compromises server systems to be used for attack, FTP servers to receive exflitrated data Execution Sometimes Attacker runs phishing campaign (via email, social networks, etc.) to entice users Execution Always Attacker installs malware (through phishing, drive-by, remote compromise) to grab data Execution Always Attacker sends data to FTP site controlled by attacker (often using.rar) Withdrawal Always Attacker disguises identity through use of compromised server and FTP systems

Threat Profile: Hacktivist Generic Attack Phase Frequency Data Breach Discloser Description Preparation Sometimes Attacker announces campaign against target organization to recruit participants for attacks Preparation Sometimes Attackers probe systems for vulnerabilities using vulnerability assessment tools Preparation Sometimes Attackers identify open proxy servers to be used to disguise attacks Execution Always Attackers use stolen credentials, SQL injection, brute force to gain access to sensitive data Execution Always Attacker exfiltrates stolen data Execution Always Attacker announces successful attack against target organization (when successful) Execution Sometimes Attacker uses recruits to execute DoS attack against target organization (when unsuccessful) Withdrawal Sometimes Attackers disguise identity using proxy servers

Create and maintain profiles using incidents and intelligence Model Attacks Analyze Incidents Update Profiles

Attack profiles change slowly More statistics from 2013 Verizon DBIR: 48% of incidents caused by error Over 70% of attacks are opportunistic Attacks haven t substantially changed over time

Elevation of Privilege card game improves STRIDE Created to teach developers threat modeling Provides several examples for each type of attack Ranks roughly correspond to severity of vulnerability Ace = invent your own attack

Integrate BTM into design process using three levels of review Level I: Self-directed BTM on Rails using simple, constrained approach Level II: Expert-driven, Full BTM using a longer list of more complex models, allow simple extrapolation Level III: Expert-driven, Kitchen Sink discard attack chains and cycle through lists of attack behaviors

Epilogue: What can we do to prevent unknown attacks? UNKNOWN UNKNOWNS

Safety and Emergency Response help with unknown unknowns Systems quality increases resistance to attack Behavioral Security Modeling Safety Approach Emergency preparedness limits damage of attacks Incident response (911) Disaster recovery (disaster kit)

Bonus: Behavioral Threat Modeling makes testable predictions BTM models predict attacks, outcomes, and can be tested through observation Some interesting predictions: Changing default ports for internet-accessible administrative interfaces will stop attacks Don t use lowercase or numbers in your password, use uppercase and specials Cross-site scripting doesn t matter

Thank You! Contact Information: John Benninghoff john@transvasive.com http://transvasive.com/ Twitter: @transvasive Transparent and Pervasive Security

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information