This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.
2. whoami /all
• Lead Security Consultant at Northwestern Mutual
• @MilSec Leader
• OWASP Milwaukee Leader
• Wisconsin CCDC Red Team member
• Team member of the 2015 DerbyCon CTF champs
• Twitterz: @ztgrace
6. ASSUME COMPROMISE
• Protective technologies will fail
• Shifts blue team’s focus to the Detect phase
• Breach readiness as a mantra
7. PROTECTION FAILS
• Protection tools are often based on signatures
• Preventative in nature
• Examples of protective technologies:
• Anti-virus
• Firewalls
• IDS & IPS
• Web App Firewalls (WAF)
• Web Proxies
• Sandbox
10. ZoxPNG
• Used technet.microsoft.com for command and control
https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
11. DETECT ISSUES
• Logging too little/much
• Poor Security information and event management (SIEM) correlation
• Ineffective security monitoring
• Insufficient training to create use cases
19. ∆ FORCE OBJECTIVES
• Provide IOCs and attack signatures alongside vulns in reports
• Perform threat simulations based on threat modeling
• Breakdown attacks into stages
• Validate detection at each stage, and assist with correlation
39. TIPS FOR DEFENSE
• Use pen test & red team engagements as training exercises
• Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc)
• Sit with and learn from the red team
• Rotate your testing firms or rotate your testers
• Perform root cause analysis on vulnerabilities
40. TIPS FOR OFFENSE
• Be a sparring partner
• Provide more data like IOCs, PCAPs, logs, etc.
• Incorporate use cases into reports
• Provide artifacts to reproduce attacks