The Peak of Chaos Shane D. Shook, PhD 10/31/2012

Similar documents
Can We Become Resilient to Cyber Attacks?

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Cyber Security for SCADA/ICS Networks

Practical Steps To Securing Process Control Networks

Software that provides secure access to technology, everywhere.

APT Advanced Persistent Threat Time to rethink?

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

DATA SHEET. What Darktrace Finds

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Agenda , Palo Alto Networks. Confidential and Proprietary.

Marble & MobileIron Mobile App Risk Mitigation

CYBERTRON NETWORK SOLUTIONS

Enterprise Cybersecurity: Building an Effective Defense

RMAR Technologies Pvt. Ltd.

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Security Testing in Critical Systems

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Security and Privacy

A Primer on Cyber Threat Intelligence

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

Defending Against Data Beaches: Internal Controls for Cybersecurity

IBM Security Strategy

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Cyber Security Seminar KTH

Post-Access Cyber Defense

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Enterprise Cybersecurity: Building an Effective Defense

Incident Response. Six Best Practices for Managing Cyber Breaches.

After the Attack. The Transformation of EMC Security Operations

FORBIDDEN - Ethical Hacking Workshop Duration

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Advanced Endpoint Protection

Beyond the Hype: Advanced Persistent Threats

Advanced Persistent Threats

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Common Cyber Threats. Common cyber threats include:

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Metasploit The Elixir of Network Security

Property of Secure Network Technologies-Do Not Distribute or Post Without Written Permission-Copyrights and Trademark Apply

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

CRYPTUS DIPLOMA IN IT SECURITY

Information Security Services

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Locking down a Hitachi ID Suite server

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Protecting Organizations from Cyber Attack

Incident Response 101: You ve been hacked, now what?

PENETRATION TESTING GUIDE. 1

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Penetration Testing Report Client: Business Solutions June 15 th 2015

Cybersecurity Awareness. Part 1

Information Security for the Rest of Us

ICS-CERT Incident Response Summary Report

Cyber R &D Research Roundtable

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

How We're Getting Creamed

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

How To Create Situational Awareness

Advanced Threats: The New World Order

Goals. Understanding security testing

We ve been hacked! We did it! Rick Grandy Lockheed Martin Hanford Site

SCADA/ICS Security in an.

Top 10 Database. Misconfigurations.

I ve been breached! Now what?

2012 Data Breach Investigations Report

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Secure Your Mobile Workplace

Targeted attacks: Tools and techniques

A Decision Maker s Guide to Securing an IT Infrastructure

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Advanced Persistent Threats

Transcription:

w h a c k e r n a v k n d n h m y a w h o? n r h p e n c n o s a n w s o v y i d u n n n r n m s r k d e a i k o w i r c d i o m u t w e t w s u t s i v i t c a Shane D. Shook, PhD 10/31/2012

Cyber Crime Warfare Terrorism Security Who Did It? When Do We Fight Back? Why Did They Do It? How Do We Prevent It (Again)? What is the actual threat?

East, West, Everywhere Anonymous Group / LulzSec / AntiSec / Arab Youth Group / Cutting Sword of Justice / Izz ad-din Al Qassam Martyr s Cyber Fighters / Gaza Hackers / Palestinian Cyber Army Anonymous crowdsourcing

Anonymous Hacktivists or Actors? Highly capable and as sophisticated as needed First effective demonstrations of new cyber-age: - Distributed Denial of Service - Anonymized Network of Communications - The risk is overlooked, but the Threat is Real - Function over form

Anonymous Hacktivism Campaigns Tools: Droppers, Botnets, RATs, PasteBin Tactics: (metasploits) - Phishing, Hacking, Social Engineering Procedures: - Compromise, Recon, Collect, Expose sabotage?

Nation/State Social Anarchists? Commercial Competitors Disaffected Minorities

OpSony HBGary Federal Operation Greenrights Operation Ababil Oil Companies Governments Banks Actions of a few people against (or in support of) the many

Shamoon aka DistTrack Simple, effective, scary but limited - Used off-the-shelf software to bypass UAC - Wiped MBR and FileSystem - Component architecture Intended to Destroy (Sabotage)

What is a Risk? - A vulnerability that could be exploited What is a Threat? - A vulnerability that should not exist - Something that will impact your business What is an APT? - Is activity (behavior) that threatens your business - Is not simply malware or exploited vulnerabilities - Is not a risk, is a threat

What do these have in common? Vulnerabilities Phish SQL Injection Botnets People They are Risks to your business

What do these have in common? Gh0st/PoisonIvy utilized Phishing and SQL Injection Anonymous utilized BotNets and Social Engineering Shamoon exploited Windows Vulnerabilities They are Threats to your business can be done by an individual or a group!

Gh0st/PoisonIvy Aurora / Night Dragon / Shady RAT / etc. - SQL Injection of improperly secured websites - Web Server access to Command Shell or - Phish Email to custom downloader site - Crafted Dropper to exploit software vulnerability and - Windows Privilege Escalation - Credential dumping/cracking - Proxy installation & Private Remote Access - Reconnaissance and Data Harvesting

The Peak of Chaos Gh0st/PoisonIvy (RATs) behavioral artifacts Binary Resources Configuration Files Prefetch/Command References Link Files Security & Application Event History Communications History Services History MetaData exists in Windows AND *NIX

Everyone focuses on the threat of Zero day exploits The least important threat is Zero - Previously unknown, no patch available The next important is Half - Known, no patch available yet The real threat (most important) is Single - Known, patches available not installed The new threat (critical) is Forever - Impossible to patch

Stuxnet / Flame / Wiper - PLC Complex, bulky, effective targeted - Used compromised Certificates (Jmicron / RealTek) - Exploited Single-Day and Forever-Day Vulnerabilities -- MS10-092 (AT Task Scheduler) -- Drivers (Keyboard, Print Spooler, Volume) -- Path Vulnerabilities (LNK, RPC, NetShares) -- Hard-coded Passwords (CVE-2010-2772) - Targeted at ICS control software - Component architecture Intended to Destroy (Sabotage)

Project Basecamp - PLC SCADA / ICS risk unknown whether compromised yet - Allows unauthenticated access & control - Exploits Forever-Day Vulnerability -- Just Pass string query/response -- Flash Programming means replace Equipment - Targeted at ICS control software - No software / malware needed -- Metasploit & Nessus Modules available -- Shodan / Every Routable IP reveal sites Can Remotely Control (Including Shutdown) At-Will

RuggedCom - PLC SCADA / ICS risk unknown whether compromised yet - Single-Day or Forever-Day Vulnerability -- Default password in Firmware updates -- Single Certificate shared on all devices -- Flash Programming means replace Equipment - No software / malware needed to exploit - Just one of MANY SCADA vulnerabilities emerging Can Remotely Control (Including Shutdown) At-Will

70% of Enterprise Computers in Global Companies are running Windows XP (20%~ Service Pack 2) 60% of Enterprise Computers are running IE v8 20% of Enterprise Computers are running IE v7 90% of Enterprise Computers are running unpatched Java 80% of Enterprise Computers are running unpatched Flash 80% of Enterprise Computers are running unpatched Reader

The Peak of Chaos 68%+ of consumer PC s run Windows 30% of those consumer PC s run older versions of Windows

Remote code execution Internal Java Flash Reader Remote code execution External

Today s security tools do not address the problem - Risks are mistaken as threats - Focus upon AntiVirus rather than DLP - No value given to network intelligence - Not enough correlation/reporting tools - Attention to anomalous files, not behavior Know your customer - Who should be doing what, when? - Which systems should they use? - How should they access/communicate? - What are anomalies?

When is a risk a threat? Risk Unpatched Software. day Exploit Malware Uncontrolled Access Undocumented Systems Tools vs. Experience Outsourcing Threat Vulnerable to exploits Used in place of malware Used to reconnoiter or sabotage systems Persistent access to non-public information Lack of awareness Lack of perspective Lack of control

Biggest Risks: People Outsourcing (experience can t be replaced) Process Incomplete/Inaccurate AMDB & CMDB Technology Reliance on Tools Biggest Threats: People Insiders (not hackers) Process Reliance on (restricted) audit results Technology Pattern vs. Behavior-based detection

What can you do to detect/protect/defend? DDOS / BotNets / APT Channels - Upstream Vendor/Public Intelligence - Upstream & Downstream Filtering - Expand The Attack Surface Malware - Heuristic Filtering (Test Before Installing) - Know Your Build (Services, Apps, RAS) RATs - Know Your Admin (& User) Behaviors - Watch for Lateral Movement Indicators Contingency Plans for Recovery & Restoration

What does it all mean? 1) Understand Risks versus Threats 2) Everything is vulnerable - If a computer can t do it a person can 3) There are no limits (technical or ethical) 4) Watch out for anomalies 5) Behavior is more important than pattern

Contact: shane@shook.net http://www.vorstack.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information