Cyber Defense Overview Attack Patterns Aligned to Cyber Kill Chain

Similar documents
idata Improving Defences Against Targeted Attack

SPEAR PHISHING UNDERSTANDING THE THREAT

Breaking the Cyber Attack Lifecycle

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

After the Attack. The Transformation of EMC Security Operations

Advanced Threat Protection with Dell SecureWorks Security Services

Defending Against Data Beaches: Internal Controls for Cybersecurity

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Firewalls, Tunnels, and Network Intrusion Detection

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

DYNAMIC DNS: DATA EXFILTRATION

SIEM is only as good as the data it consumes

ONLINE RECONNAISSANCE

Top Ten Cyber Threats

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

UNCLASSIFIED. General Enquiries. Incidents Incidents

Introduction of Intrusion Detection Systems

Practical Steps To Securing Process Control Networks

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

8 steps to protect your Cisco router

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Concierge SIEM Reporting Overview

Codes of Connection for Devices Connected to Newcastle University ICT Network

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

RSA Security Anatomy of an Attack Lessons learned

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

BlackRidge Technology Transport Access Control: Overview

Practical Threat Intelligence. with Bromium LAVA

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Operation Liberpy : Keyloggers and information theft in Latin America

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Covert Operations: Kill Chain Actions using Security Analytics

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

CYBER ATTACK DEFENSE A KILL CHAIN STRATEGY WHITE PAPER

Advanced Threats: The New World Order

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Protecting Your Organisation from Targeted Cyber Intrusion

Perspectives on Cybersecurity in Healthcare June 2015

KEY STEPS FOLLOWING A DATA BREACH

Enterprise Security Platform for Government

GFI White Paper PCI-DSS compliance and GFI Software products

UNMASKCONTENT: THE CASE STUDY

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Computer Networks & Computer Security

Evolution Of Cyber Threats & Defense Approaches

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

HoneyBOT User Guide A Windows based honeypot solution

Penetration Testing Report Client: Business Solutions June 15 th 2015

SSL Inspection Step-by-Step Guide. June 6, 2016

24/7 Visibility into Advanced Malware on Networks and Endpoints

Effective Log Management

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Unified Security, ATP and more

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Chapter 9 Firewalls and Intrusion Prevention Systems

RSA Security Analytics

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

How To Protect A Network From Attack From A Hacker (Hbss)

Incident Response. Six Best Practices for Managing Cyber Breaches.

Introduction to Endpoint Security

Fighting Advanced Threats

Description: Objective: Attending students will learn:

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

User Documentation Web Traffic Security. University of Stavanger

Locking down a Hitachi ID Suite server

Unknown threats in Sweden. Study publication August 27, 2014

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

POLIWALL: AHEAD OF THE FIREWALL

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Endpoint Threat Detection without the Pain

Top 20 Critical Security Controls

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Comprehensive Advanced Threat Defense

5 Steps to Advanced Threat Protection

Host/Platform Security. Module 11

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Transcription:

Cyber Defense Overview Attack Patterns Aligned to Cyber Kill Chain John Franco Electrical Engineering and Computing Systems

Attackers Leave Trails Stages of Attack (Cyber kill Chain): Reconnaissance: gather information on the target social media, email addresses, intellectual property Weaponization: trojan coupled with exploitable application weaponized deliverable: adobe pdf, MS office documents Delivery: get the weapon to the target environment email attachments, USB removable media, websites Exploitation: intruder's code activated, auto-exec'ed by OS? Installation/spread: backdoor or trojan, persistence hide existence from security devices Command & Control: channels to send and receive info Accomplish Mission: theft of money, theft of IP, destruction exfiltration: collect, encrypt, extract info from target use target to compromise other machines

Defender Capabilities Defensible Actions: Detect: verify that some attacker is looking around Deny: prevent the attacker from gaining information Disrupt: stop or change outbound traffic (to attacker) Degrade: attack attacker's command & control Deceive: interfere with command & control Contain: network segmentation changes

Mostly Review: Defender Tools NIDS: Network Intrusion Detection NIPS: Network Intrusion Prevention HIDS: Host Intrusion Detection EPP: Endpoint Protection Platform Firewall, anti-virus, anti-spyware, behavioral blocking ACL: Access Control List AV: anti-virus DNS Redirect: serve different web page than was requested Attacker may seek CC channel through page with malware But redirection may kill this chance DLP: Data Loss Prevention Stop exfiltration to untrusted locations, control what data users can transfer

Mostly Review: Defender Tools Tarpit: purposeful introduction of delays to network traffic idea: bad guys may give up if things are taking too long Honeypot: seems to belong to but is isolated from network idea: divert malicious traffic to protect and to discover attack intentions chroot jail: change root directory of current running process idea: limit access of process to data and software Proxy filter: intermediary for client requests idea: hide network information from the attacker Quality of Service: classify traffic - how to treat?; level of traffic; check for bottlenecks, selectively drop packets; Trust Zones: level of trust associated with system parts Queuing: form of tarpit on incoming traffic

Defensible Actions Matrix Aligned to the Cyber Kill Chain Cost to adversary increases as more indicators are revealed, used From: Defensible Security Posture, Nige the Security Guy

Security Control Types Aligned to the Cyber Kill Chain From: Defensible Security Posture, Nige the Security Guy

Attack Patterns Indicators: - any piece of information that describes an intrusion - atomic: ip addresses, email addresses, vulnerability identifiers - computed: * derived from data collected during an incident * e.g. hash values - behavioral: * collections of atomic and computed indicators * AI over the aggregate is used to suggest mal behaviors * rule example: intruder initially uses a backdoor to generate network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replaces it with a module matching the MD5 hash [value] once access was established

Attack Patterns Indicators: - analysts reveal indicators through analysis or collaboration - mature indicators by leveraging them in tools - utilize them when matching activity is discovered - form additional indicators subject to same actions and states

Attack Patterns Reconnaissance and weaponization: - sudden increase in network traffic (analytics/firewall) - sudden increase in outbound transfers (analytics/firewall) - unusual patterns of activity (analytics/firewall to stop) * large transfers of data outside normal office hours * large transfers to unusual locations - unusual searches of directories, files of interest to attacker * source code repositories (NSM/firewall to stop) - unrecognized, large outbound files that have been compressed, encrypted password-protected - scans (NSM/firewalls) - increased volume of IDS events/alerts (NSM/firewall)

Delivery: Attack Patterns - vulnerable UDP/TCP port used to load malware (NIDS/NIPS) communication channel established with master controller - repeated queries to dynamic DNS names - use URL filtering (outbound deny access to sites) and DNS monitoring (inbound) to discover/deny attacker access * if new attack, protection is built on-the-fly while the UDP port is under repair * other enterprises should be warned

Exploitation: Attack Patterns - unexplained changes in configurations of platforms, routers or firewalls

Installation: Attack Patterns - DNS server is set up as a launching point for finding other vulnerable hosts - Unusual traffic between servers that usually don t talk to one another can be detected, examined, blocked by intelligent sensors

Command and Control: Attack Patterns - inbound commands are sent to the exploited DNS server which returns outbound traffic and/or begins identifying other vulnerable devices within the organization to exploit. - changes to the system show up in logs and traffic reports - intelligent tools pick up and report on unusual connections between servers and devices, to-from locations - types of traffic and the ports used show up in logs - tools capture suspect traffic between the servers for further examination, including decrypting packets and examining contents, when required. - patterns of repeated downloads, uploads or lateral movement of files is suspect and can be killed bfore sensitive data leaves

Attack Patterns Mission accomplished/exfiltration of data: - attacker controls target system, sends data outbound - outbound traffic monitoring catches this stage of attack - but, criminals have learned to send their data from unsuspected, even trusted servers and use low and slow bursts to try and thwart outbound protections - advanced tools make determinations on outbound traffic based on traffic type, to-from pathways, and other patterns to detect sensitive outbound data in outbound traffic

Defensible Actions Matrix Aligned to the Cyber Kill Chain Cost to adversary increases as more indicators are revealed, used From: Defensible Security Posture, Nige the Security Guy

See Page 9 of Example 1 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation pdf file: LM-intel-driven-defense.pdf

See Page 10 of Example 2 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation pdf file: LM-intel-driven-defense.pdf

See Page 11 of Example 3 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation pdf file: LM-intel-driven-defense.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information