It's no secret that cybercriminals and the dynamic methods they use to do their dirty work are evolving faster than companies, governments and individuals are able to deal with them. Dexterity, unmatched domain expertise and the element of surprise creates advantages that grow each day. But what if IT security practitioners could use that power against their enemies, Jujitsu style?
Dr. Eric Cole says this is not only possible, but it’s time to go on the offensive against attackers by using their intelligence, desire for attention, financial motivations and attack tendencies against them to strengthen your own security posture. Dr. Cole, a celebrated author, cyber security consultant for governments and the Fortune 100, and a former CIA security analyst, highlights some of the biggest IT security threats and the critical weaknesses that unleash them on corporations and governments. Cole, president of enterprise and government cyber consultancy Secure Anchor Consulting, discusses:
Two of the most widely talked about threats in 2010, the ZeuS botnet and the Stuxnet worm.
How you can fortify your defenses using the principles of Jujitsu to quickly identify your foes and neutralize them.
How these principles can help you turn the motivations of your foes against them to achieve better security.
How an integrated security information and event management (SIEM) and file integrity monitoring (FIM) solution can detect threats faster, find an attacker's footprints before a breach and seal off discovered weaknesses in real time through on demand remediation.
15. Sophisticated – Yes and No
Attackers have
completed access to User receives email/IM
internal systems with malicious link
Back door is set
up and connects
to C&C servers User clicks on link
Browser
Binary disguised downloads/executes
as an image is malicious javascript
downloaded and
executes
22. Must Make Better Use Of Existing Data
“We consistently find that nearly 90% of
the time logs are available but discovery
[of breaches] via log analysis remains
under 5% ”
2010
23. Raw Log Data
Am I Secure? Is Policy Impacted?
change event
log event
Events of Interest!
24. Example: Correlating Log & Change Events
5 failed logins
Login successful
Windows event log cleared
Logging turned off
Host not generating events
Policy test fails
25. Tripwire VIA
VISIBILITY INTELLIGENCE AUTOMATION
Across the entire Enable better, Reduce manual,
IT infrastructure faster decisions repetitive tasks
25
26. Tripwire VIA: IT Security & Compliance Automation
Event Database
Correlate to Correlate to
Bad Changes Suspicious Events
27. THANK YOU!
Dr. Eric Cole
President
Secure Anchor Consulting, LLC
www.tripwire.com E-mail : drcole@secure-
anchor.com
Notas del editor
The War on Stupid – Dr. Eric ColeTee up your You Can’t Stop Stupid…presentation
Call out some of the alarming data in that presentation that showed a growth in Malware, the misconception about Apple being impervious to attack, your Trends info + Cloud vulnerability/inevitabilityCommon mistakes and how to create a process for erasing them to achieve security (continuous configuration monitoring and remediation, Finding threats in log files, maintaining a militant patch management program, a layered security approach, etc.)
The Dumbing Down of Cyber crime – Speak to the common believe that attackers are of a superior mind, discipline and technical acumen than those seeking to stop them; and that they’re all part of a Russian crime syndicate.Shine some light on the percentages of truly sophisticated attackers vs. sophisticated attacks by less skilled attackers (script kiddies using Zeus, etc.). a rapidly evolving cyber crime landscape that has the same behavior as an Enterprise/SMBHow can I cut costs and find the quickest way to revenue with the least amount of effort?What can I reuse/repurpose to achieve that goal?What weaknesses can companies/organizations leverage in this new model that we can exploit against attackers?
CYBER JUJITSU 101 – What is it? A disciplined IT Security process and practice to defend yourself against and respond to cyber threats. (KNOW YOUR OPONENT>IDENTIFY WEAKNESSES>EXPLOIT THEM>NEUTRALIZE ATTACK>GROW REPUTATION AS A TOUGHER TARGET) Common attacker behavior, persona, motivationCyber Jujitsu 101 – Counter Moves to Even the Match UpCyber Jujitsu 101 – How to spot a precursor to an attack and an attack in progressCyber Jujitsu 101 – 5 Things Attackers are Doing that they don’t want you to know aboutCyber Jujitsu 101 – 5 Things you should do right after this webcast to be ready for a cyber criminal
Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and causes damage.
This is really what you want to know. 5 failed logins on its own followed by a successful login is probably a medium to low alert. In fact, this is so common it’s contributing to SIEM overload. But, getting an unrelated alert for each one of these every step along the way won’t help. We think you need this context to see all of these happening in concert so you can quickly see these complicated patterns that impact security.