SlideShare una empresa de Scribd logo

Hitcon 2014: Surviving in tough Russian Environment

F _
F _

HITCON2014 talk on practical approach to Incident detection

Tecnología
1 de 55
Descargar para leer sin conexión
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Living with compromise: Enterprise Network Survival in tough Russian Environment Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin HITCON 2014 Affilations: Academia Sinica, o0o.nu, chroot.org Aug 20, 2014, Taipei Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Outline Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Questions Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Agenda Prerequisites and past Experience share practical experience in an enterprise defense that lead to particular conclusions Tools and implemention demonstrate tools and techniques that improve detection aid incident handling lifecycle Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response You are or will be compromised If you are under attack, your AV,Firewaslls, IDS, etc. are in THE ATTACKER THREATS MODEL. The option you have - read between the lines. When you are compromised, what is the action plan? Are you able to: Detect Properly: Categorise Mitgate Investigate . . . Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Threat Landscape Assumption - Not isolated big networks are (almost) always somehow compromised During the last year about 30% of monitored hosts was attacked by cybercrimes at least once. For Basic setup Host AV, Proxy with AV, firewalls, IPS, etc. . . Success rate 3-15% If you have 10k hosts network in Russia, about 3k host will be attacked and 90-450 will be compromised on average. Approximate this situation to 40M hosts. . . What to do? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Threat Identification Identify threats within detection capabilities of your organisation. There always will be threats your org can’t detect or handle. You have to accept the risk (or allocate additional resources to mitigate it). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples of an Org. Strength: You have Good monitoring team - otherwise you can ONLY rely on your security vendors opinion and support in handling security incidents. BAD! Defense in Depth: Have multipe independent layers of protection monitoring or mitigation. Examples: sinkholes redirect botnet traffic to internal sinkholes. proxy blacklist prevents access to botnet resources. and so on. This also decreases risks of your organization to be blacklisted in public blacklists, such as spamhaus, shadowserver lists (SPB, RSBL). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examplies of possible org Limitations: No security team, IT operations outsourced :) HUGE distributed Not centralized environment. No uniform defense mechanisms. Limited ability to control and monitor IT and SECURITY events No recording of forensic evidence Distributed, uncommunicating IT support teams Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Identify your Attack Surface browser? mail? vpn? rewmovable devices?publically accessable asset? Untrusted vendor? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attacker information gathering Targetted Attackers want your data. They have time. Not every javascript serves exploit. Some are just recording information on your environment. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attacker exploitation vuls vs kis (based on Mila/contagiodump repo data): Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Know your history Incident history datamining. Case studies of Incident and Incident Response Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response An Incident Lifestype stages in life of an incident Incident (Almost) Happens Incident Detected Additional Information Collected Short-Term Impact Minimization Incident Categorized Long-Term Mitigation plan (typical/ not typical) Mitigation plan implementation QOS (Mitigation assurance): CHECK! Indicators of Compromise (IOCs) preservation Check for presence of IOCs in other parts of monitoring Environments Store incident data, update knowledge base, collect useful stats to speed up future incident handling. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Be sure that measures are effective. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents Characteristics of incidents How to enhance security measures How to prevent further recurrence Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Classification of Incidents Examples: Malicious code Malicious code, with consequential network activity Anomalous activity Out of the scope of Enterprise Network Activity Untrusted executable Direct reputation risk Indirect reputation risk Targeted Attack (APT) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents vs Systems(1) Incidents VS Systems: Usability of various components common belief incidents/systems firewalls AV web traf IPS DNS Profiling Malicious code 10 Malicious code, with .. 1 7 2 Anomalous activity 5 5 Out of the scope .. 5 5 Untrusted executable 7 3 Direct reputation risk Indirect reputation risk Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents vs Systems(2) Incidents VS Systems: Usability of various components reality incidents/systems firewalls AV web traf IPS DNS Profiling Malicious code 4 6 Malicious code, with .. 1 2 4 1 2 Anomalous activity 2 3 2 4 Out of the scope .. 2 5 3 Untrusted executables 1 8 1 Direct reputation risk 10 Indirect reputation risk 10 Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples: Web Traffic Analysis Proxy and passive HTTP traffic analysis Sources: proxy logs passive web traffic monitoring (including HTTPS) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Example url ip mime type size code cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html 118162 200 cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html 37432 200 cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200 cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200 cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 application/octet-stream 115020 200 cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - 327 200 What just happened? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples: DNS Passive DNS traffic acquisition and analysis a couple of examples (last week) domain ip owner rtvwerjyuver.com 69.164.203.105 linode tvrstrynyvwstrtve.com 109.74.196.143 linode cu3007133.wfaxyqykxh.ru . . . what does your DNS traffic look like..? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS viz01 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS viz02 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS anonymizer traffc Anonimizer 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.d 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.d 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34 Time: Today 09:59:15pm Description: Phishing.bpwh Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Covert channel communication 8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd 8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd Time : Today 13:19:25 D e s c r i p t i o n : REP. b i l s c z Detected at Today 13:19:25 I n t e r f a c e Name : bond1 .382 I n t e r f a c e D i r e c t i o n : outbound Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Sinkhole in DNS Credit: domaintools.com Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Sinkhole in DNS Credit: domaintools.com Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS Suspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203 kojxlvfkpl.biz:216.66.15.109 kojxlvfkpl.biz:38.102.150.27 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Look for holes :) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Hole traffic Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Usability of sandboxes Sandboxes could be helpful to analyze mal. content. However, they are often not very practical. A few examples (delivery via SMTP) 1.zip FW supplier data form.msg How to Get Thin Quick.msg Losing a size within a fortnight It’s easy.msg 20141308.msg Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Problems with Sandboxing Known tricks matching environment code behaves differently depending on: environment, time, user interaction, time-zone, .. performance (timeouts, ..) Use interaction Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Stages of incident detection Before Incident (Security Awareness, Pentests, etc.) Access attempt Access obtained Privilege escalation Execution of attack goal Post-incident IR (too late)) Incidents VS Stages of detection ~= how monitoring team operates with current limitations in Environment Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents VS Stages of detection(1) common belief incidents/stages before attempt obtained escl impl late Malicious code 5 5 Malicious code, with .. 5 5 Anomalous activity 8 2 Out of the scope .. Untrusted executables 1 9 Direct reputation risk 10 Indirect reputation risk 10 Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents VS Stages of detection(2) reality incidents/stages before attempt obtained escl impl late Malicious code 1 2 2 2 3 Malicious code, with .. 1 2 2 3 2 Anomalous activity 1 3 2 2 2 Out of the scope .. 2 8 Untrusted executables 2 3 3 2 Direct reputation risk 2 2 3 3 Indirect reputation risk 2 2 3 3 Targeted Attack (APT) 1 1 1 2 5 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attack delivery method incidents/delivery web email ext.storage share services other Malicious code 5 2 2 1 Malicious code, with .. 5 2 2 1 Anomalous activity 1 3 2 1 1 2 Out of the scope .. 3 3 2 2 Untrusted executables 4 3 1 2 Direct reputation risk 3 2 3 2 Indirect reputation risk 3 2 1 2 2 Targeted Attack (APT) 2 3 1 2 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response How can you improve your security posture Cross-correlate your historical data including data from following sources: Incidents Detection systems (ips/ids/av/fw/..): map type of incident to component that detects those. Stages of detection - and incidents Delivery method - which network detection components detect what delivery methods. use community contributions :) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Specific incident attributes Availability first Conflict of interest: flag Restrictions on information sharing: limits the quality of teams collaboration Manual routing of information sharing for the special cases Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents categorization Categorisation based on Vendor knowledge Categorisation based on public sources Categorisation based on internal intel. Categorisation based on limited IOCs sharing to the focused groups Attribution Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Tools and Execution There is a number of tools we can share. Some are developed by us. Other - are just very good open source projects. http://github.com/fygrave/ndf http://github.com/fygrave/hntp fiddler elasticsearch && http://github.com/aol/moloch (vm) yara (as moloch plugin) hpfeeds CIF Indicators of Compromise is one of essential information mediums here to represent facts on incident(s). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Mining public knowledge There is a lot of public knowledge you could mine. CIF is a fantastic tool for that. https://github.com/collectiveintel/cif-v1 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response CIF: example grabbing shadowserver data: Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response CIF: example Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response IOC representations Multiple standards have been created to facilitate IOC exchanges. Madiant: OpenIOC Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression) Mitre: CAPEC, TAXII IODEF (Incident Object Description Format) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Standards: OpenIOC OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye) http://www.openioc.org/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response RAW Data Preservation Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Moloch as detection tool Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Tools for Dynamic Detection Moloch Moloch supports Yara (IOCs can be directly applied) Moloch allows you to develop your own plugins Moloch has awesome tagger plugin: # tagger . so # p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn # i n t o a sensor that would cause autotagging of a l l matching p l u g i n s=tagger . so t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . . taggerDomainFiles=domainbasedblacklists , tag , tag , tag Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Extending Moloch Moloch is easily extendable with your own plugins https://github.com/fygrave/moloch_zmq - makes it easy to integrate other things with moloch via zmq queue pub/sub or push/pull model Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Moloch ZMQ example CEP-based analysis of network-traffic (using ESPER): https://github.com/fygrave/clj-esptool/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Fake targets Honeypots are very useful when dealing with unknown threats or when dealing with environments with limited capabilities (VPN, BYOD, ..) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Honeypot data sharing HPFeeds could be used to share honeypot data feeds in controlled manner via your own broker. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Last not least :) Incident response: your availability is impacted by your investigation capabilities. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incident Response: some details Ways to determine scope (impact) Ways to minimize scope (impact) Response to the threats with known scope (impact) Response to the threats with unknown scope (impact) Keep historical record of the process. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Questions Q&A our slides: http://www.slideshare.net/burguzbozo/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org

Recomendados

Rsa2016
Rsa2016Rsa2016
Rsa2016F _
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 

Recomendados

Rsa2016
Rsa2016Rsa2016
Rsa2016F _
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016TierPoint
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyAlienVault
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Anatomy of a Ransomware Event
Anatomy of a Ransomware EventAnatomy of a Ransomware Event
Anatomy of a Ransomware EventArt Ocain
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Ransomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and AvailabilityRansomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and AvailabilityLai Yoong Seng
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programidsecconf
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 

Más contenido relacionado

La actualidad más candente

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016TierPoint
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyAlienVault
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Anatomy of a Ransomware Event
Anatomy of a Ransomware EventAnatomy of a Ransomware Event
Anatomy of a Ransomware EventArt Ocain
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Ransomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and AvailabilityRansomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and AvailabilityLai Yoong Seng
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programidsecconf
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 

La actualidad más candente (20)

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Anatomy of a Ransomware Event
Anatomy of a Ransomware EventAnatomy of a Ransomware Event
Anatomy of a Ransomware Event
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Ransomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and AvailabilityRansomware Resiliency, Recoverability and Availability
Ransomware Resiliency, Recoverability and Availability
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting program
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 

Similar a Hitcon 2014: Surviving in tough Russian Environment

Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsF _
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trendsYi-Lang Tsai
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Leonardo
 
Cyber Security in Railways Systems, Ansaldo STS experience
Cyber Security in Railways Systems, Ansaldo STS experienceCyber Security in Railways Systems, Ansaldo STS experience
Cyber Security in Railways Systems, Ansaldo STS experienceCommunity Protection Forum
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 

Similar a Hitcon 2014: Surviving in tough Russian Environment (20)

Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber security
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threats
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise Indicators
 
NetWitness
NetWitnessNetWitness
NetWitness
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...
 
Cyber Security in Railways Systems, Ansaldo STS experience
Cyber Security in Railways Systems, Ansaldo STS experienceCyber Security in Railways Systems, Ansaldo STS experience
Cyber Security in Railways Systems, Ansaldo STS experience
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 

Más de F _

Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsF _
 
Indicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseIndicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseF _
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise F _
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
Hacklu2012 v07
Hacklu2012 v07Hacklu2012 v07
Hacklu2012 v07F _
 
2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_pptF _
 
0nights2011
0nights20110nights2011
0nights2011F _
 

Más de F _ (10)

Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feeds
 
Indicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseIndicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromise
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10
 
Hacklu2012 v07
Hacklu2012 v07Hacklu2012 v07
Hacklu2012 v07
 
2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt
 
0nights2011
0nights20110nights2011
0nights2011
 

Último

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Último (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Hitcon 2014: Surviving in tough Russian Environment

  • 1. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Living with compromise: Enterprise Network Survival in tough Russian Environment Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin HITCON 2014 Affilations: Academia Sinica, o0o.nu, chroot.org Aug 20, 2014, Taipei Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 2. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Outline Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Questions Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 3. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Agenda Prerequisites and past Experience share practical experience in an enterprise defense that lead to particular conclusions Tools and implemention demonstrate tools and techniques that improve detection aid incident handling lifecycle Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 4. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response You are or will be compromised If you are under attack, your AV,Firewaslls, IDS, etc. are in THE ATTACKER THREATS MODEL. The option you have - read between the lines. When you are compromised, what is the action plan? Are you able to: Detect Properly: Categorise Mitgate Investigate . . . Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 5. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Threat Landscape Assumption - Not isolated big networks are (almost) always somehow compromised During the last year about 30% of monitored hosts was attacked by cybercrimes at least once. For Basic setup Host AV, Proxy with AV, firewalls, IPS, etc. . . Success rate 3-15% If you have 10k hosts network in Russia, about 3k host will be attacked and 90-450 will be compromised on average. Approximate this situation to 40M hosts. . . What to do? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 6. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Threat Identification Identify threats within detection capabilities of your organisation. There always will be threats your org can’t detect or handle. You have to accept the risk (or allocate additional resources to mitigate it). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 7. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples of an Org. Strength: You have Good monitoring team - otherwise you can ONLY rely on your security vendors opinion and support in handling security incidents. BAD! Defense in Depth: Have multipe independent layers of protection monitoring or mitigation. Examples: sinkholes redirect botnet traffic to internal sinkholes. proxy blacklist prevents access to botnet resources. and so on. This also decreases risks of your organization to be blacklisted in public blacklists, such as spamhaus, shadowserver lists (SPB, RSBL). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 8. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examplies of possible org Limitations: No security team, IT operations outsourced :) HUGE distributed Not centralized environment. No uniform defense mechanisms. Limited ability to control and monitor IT and SECURITY events No recording of forensic evidence Distributed, uncommunicating IT support teams Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 9. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Identify your Attack Surface browser? mail? vpn? rewmovable devices?publically accessable asset? Untrusted vendor? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 10. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attacker information gathering Targetted Attackers want your data. They have time. Not every javascript serves exploit. Some are just recording information on your environment. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 11. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attacker exploitation vuls vs kis (based on Mila/contagiodump repo data): Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 12. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Know your history Incident history datamining. Case studies of Incident and Incident Response Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 13. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response An Incident Lifestype stages in life of an incident Incident (Almost) Happens Incident Detected Additional Information Collected Short-Term Impact Minimization Incident Categorized Long-Term Mitigation plan (typical/ not typical) Mitigation plan implementation QOS (Mitigation assurance): CHECK! Indicators of Compromise (IOCs) preservation Check for presence of IOCs in other parts of monitoring Environments Store incident data, update knowledge base, collect useful stats to speed up future incident handling. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 14. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Be sure that measures are effective. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 15. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents Characteristics of incidents How to enhance security measures How to prevent further recurrence Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 16. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Classification of Incidents Examples: Malicious code Malicious code, with consequential network activity Anomalous activity Out of the scope of Enterprise Network Activity Untrusted executable Direct reputation risk Indirect reputation risk Targeted Attack (APT) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 17. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents vs Systems(1) Incidents VS Systems: Usability of various components common belief incidents/systems firewalls AV web traf IPS DNS Profiling Malicious code 10 Malicious code, with .. 1 7 2 Anomalous activity 5 5 Out of the scope .. 5 5 Untrusted executable 7 3 Direct reputation risk Indirect reputation risk Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 18. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents vs Systems(2) Incidents VS Systems: Usability of various components reality incidents/systems firewalls AV web traf IPS DNS Profiling Malicious code 4 6 Malicious code, with .. 1 2 4 1 2 Anomalous activity 2 3 2 4 Out of the scope .. 2 5 3 Untrusted executables 1 8 1 Direct reputation risk 10 Indirect reputation risk 10 Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 19. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples: Web Traffic Analysis Proxy and passive HTTP traffic analysis Sources: proxy logs passive web traffic monitoring (including HTTPS) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 20. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Example url ip mime type size code cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html 118162 200 cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html 37432 200 cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200 cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200 cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 application/octet-stream 115020 200 cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - 327 200 What just happened? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 21. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Examples: DNS Passive DNS traffic acquisition and analysis a couple of examples (last week) domain ip owner rtvwerjyuver.com 69.164.203.105 linode tvrstrynyvwstrtve.com 109.74.196.143 linode cu3007133.wfaxyqykxh.ru . . . what does your DNS traffic look like..? Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 22. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS viz01 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 23. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS viz02 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 24. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS anonymizer traffc Anonimizer 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.d 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.d 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34 Time: Today 09:59:15pm Description: Phishing.bpwh Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 25. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Covert channel communication 8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd 8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd Time : Today 13:19:25 D e s c r i p t i o n : REP. b i l s c z Detected at Today 13:19:25 I n t e r f a c e Name : bond1 .382 I n t e r f a c e D i r e c t i o n : outbound Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 26. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Sinkhole in DNS Credit: domaintools.com Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 27. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Sinkhole in DNS Credit: domaintools.com Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 28. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response DNS Suspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203 kojxlvfkpl.biz:216.66.15.109 kojxlvfkpl.biz:38.102.150.27 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 29. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Look for holes :) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 30. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Hole traffic Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 31. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Usability of sandboxes Sandboxes could be helpful to analyze mal. content. However, they are often not very practical. A few examples (delivery via SMTP) 1.zip FW supplier data form.msg How to Get Thin Quick.msg Losing a size within a fortnight It’s easy.msg 20141308.msg Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 32. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Problems with Sandboxing Known tricks matching environment code behaves differently depending on: environment, time, user interaction, time-zone, .. performance (timeouts, ..) Use interaction Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 33. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Stages of incident detection Before Incident (Security Awareness, Pentests, etc.) Access attempt Access obtained Privilege escalation Execution of attack goal Post-incident IR (too late)) Incidents VS Stages of detection ~= how monitoring team operates with current limitations in Environment Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 34. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents VS Stages of detection(1) common belief incidents/stages before attempt obtained escl impl late Malicious code 5 5 Malicious code, with .. 5 5 Anomalous activity 8 2 Out of the scope .. Untrusted executables 1 9 Direct reputation risk 10 Indirect reputation risk 10 Targeted Attack (APT) 8 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 35. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents VS Stages of detection(2) reality incidents/stages before attempt obtained escl impl late Malicious code 1 2 2 2 3 Malicious code, with .. 1 2 2 3 2 Anomalous activity 1 3 2 2 2 Out of the scope .. 2 8 Untrusted executables 2 3 3 2 Direct reputation risk 2 2 3 3 Indirect reputation risk 2 2 3 3 Targeted Attack (APT) 1 1 1 2 5 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 36. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Attack delivery method incidents/delivery web email ext.storage share services other Malicious code 5 2 2 1 Malicious code, with .. 5 2 2 1 Anomalous activity 1 3 2 1 1 2 Out of the scope .. 3 3 2 2 Untrusted executables 4 3 1 2 Direct reputation risk 3 2 3 2 Indirect reputation risk 3 2 1 2 2 Targeted Attack (APT) 2 3 1 2 2 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 37. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response How can you improve your security posture Cross-correlate your historical data including data from following sources: Incidents Detection systems (ips/ids/av/fw/..): map type of incident to component that detects those. Stages of detection - and incidents Delivery method - which network detection components detect what delivery methods. use community contributions :) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 38. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Specific incident attributes Availability first Conflict of interest: flag Restrictions on information sharing: limits the quality of teams collaboration Manual routing of information sharing for the special cases Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 39. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incidents categorization Categorisation based on Vendor knowledge Categorisation based on public sources Categorisation based on internal intel. Categorisation based on limited IOCs sharing to the focused groups Attribution Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 40. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Tools and Execution There is a number of tools we can share. Some are developed by us. Other - are just very good open source projects. http://github.com/fygrave/ndf http://github.com/fygrave/hntp fiddler elasticsearch && http://github.com/aol/moloch (vm) yara (as moloch plugin) hpfeeds CIF Indicators of Compromise is one of essential information mediums here to represent facts on incident(s). Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 41. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Mining public knowledge There is a lot of public knowledge you could mine. CIF is a fantastic tool for that. https://github.com/collectiveintel/cif-v1 Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 42. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response CIF: example grabbing shadowserver data: Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 43. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response CIF: example Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 44. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response IOC representations Multiple standards have been created to facilitate IOC exchanges. Madiant: OpenIOC Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression) Mitre: CAPEC, TAXII IODEF (Incident Object Description Format) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 45. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Standards: OpenIOC OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye) http://www.openioc.org/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 46. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response RAW Data Preservation Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 47. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Moloch as detection tool Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 48. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Tools for Dynamic Detection Moloch Moloch supports Yara (IOCs can be directly applied) Moloch allows you to develop your own plugins Moloch has awesome tagger plugin: # tagger . so # p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn # i n t o a sensor that would cause autotagging of a l l matching p l u g i n s=tagger . so t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . . taggerDomainFiles=domainbasedblacklists , tag , tag , tag Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 49. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Extending Moloch Moloch is easily extendable with your own plugins https://github.com/fygrave/moloch_zmq - makes it easy to integrate other things with moloch via zmq queue pub/sub or push/pull model Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 50. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Moloch ZMQ example CEP-based analysis of network-traffic (using ESPER): https://github.com/fygrave/clj-esptool/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 51. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Fake targets Honeypots are very useful when dealing with unknown threats or when dealing with environments with limited capabilities (VPN, BYOD, ..) Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 52. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Honeypot data sharing HPFeeds could be used to share honeypot data feeds in controlled manner via your own broker. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 53. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Last not least :) Incident response: your availability is impacted by your investigation capabilities. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 54. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Incident Response: some details Ways to determine scope (impact) Ways to minimize scope (impact) Response to the threats with known scope (impact) Response to the threats with unknown scope (impact) Keep historical record of the process. Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org
  • 55. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response Questions Q&A our slides: http://www.slideshare.net/burguzbozo/ Living with compromise: Enterprise Network Survival in tough Russian Environment Affilations: Academia Sinica, o0o.nu, chroot.org